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Chapter 1: Introduction 



Applying content filtering and virus scanning to requested and posted Web content in 

an enterprise is vital to securing the network and improving productivity. 

□ Content filtering allows you to regulate, based on content categories, which Web 
sites employees are allowed to access and which are restricted. 

□ Virus scanning allows you to scan both incoming content and content leaving the 
enterprise network for viruses and other malicious code, such as drive-by software 
that propagates spyware. 

This document contains the following chapters: 

□ Chapter 2: "Filtering Web Content" 

□ Chapter 3: "Malicious Content Scanning Services" 

□ Chapter 4: "Configuring Service Groups" 

Document Conventions 

The following section lists the typographical and Command Line Interface (CLI) syntax 

conventions used in this manual. 



Table 1 -1 . Document Conventions 



Conventions 


Definition 


Italics 


The first use of a new or Blue Coat-proprietary term. 


Courier font 


Command line text that appears on your administrator workstation. 


Courier Italics 


A command line variable that is to be substituted with a literal name or 
value pertaining to the appropriate facet of your network system. 


Courier Boldface 


A Blue Coat literal to be entered as shown. 


u 


One of the parameters enclosed within the braces must be supplied 


[] 


An optional parameter or parameters. 


1 


Either the parameter before or after the pipe character can or must be 
selected, but not both. 
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Chapter 2: Filtering Web Content 



This chapter describes how to configure the SG appliance to process client Web 
requests and filter the returning content. 

This chapter contains the following sections: 

□ "Section A: About Filtering Web Content" on page 10 

□ "Section B: Configuring Blue Coat Web Filter" on page 14 

□ "Section C: Configuring a Local Database" on page 20 

□ "Section D: Configuring Internet Watch Foundation" on page 24 

□ "Section E: Configuring a Third-Party Vendor" on page 28 

□ "Section F: Applying Policy" on page 35 

□ "Section G: Configuring Websense Off-box Content Filtering" on page 42 
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Section A: About Filtering Web Content 

Content filtering allows you to control access to Web sites based on their perceived 
content. This section describes Web-content filtering. 

About Content Filtering Databases 

A content filtering database is simply a set of rules for organizing URLs into meaningful 
categories. Depending on the vendor, a URL is listed under one category or several 
categories. 

A content filtering database does not block any Web site or any category by default. The 
role of the database is to offer additional information to the proxy server and to the 
administrator about the client request. Client access depends on the rules and policies 
implemented by the administrator in accordance with company standards. 



Important: Because of the dynamic nature of the Internet, there is a constant flow of 
new URLs (and URLs on lesser-known sites) that will not be in the existing content 
filtering database. Those URLs that are not in the database are marked as none, and you 
can create a policy to categorize these. 



About Content Filtering Categories 

A small number of categories can be used to effectively classify the vast and constantly 
growing number of URLs that are found on the Web. After the Web sites and content are 
categorized, you can control access to that content through policy. 

Individual content filter providers (Blue Coat Web Filter or third-party vendors) define 
the content- filtering categories and their meanings. After providers are configured and 
the databases are available, URLs can be mapped to lists of categories. These categories 
are then made available to policy, where decisions like limiting online shopping or 
blocking job searching can be controlled. 

For example: 

<proxy> 

url . category=" Jobs" exception ( content_f ilter_denied ) 



Note: You can request that specific URLs be reviewed for correct categorization, if your 
content filtering provider supports this. For Blue Coat Web Filter, visit 
http://sitereview.bluecoat.com/ to have a URL's category reviewed. 



On-box Versus Off-box Solutions 

You can deploy content filtering in the following two ways, both of which the SG 
appliance supports: 

□ On-box: When the content filtering database exists on the proxy. This provides the 
best performance because the proxy does not need to retrieve information from 
another network server. 

□ Off -box: When the proxy must contact another server over the network to categorize 
URLs. 
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The following diagram illustrates the process flow when Web content filtering (on-box or 
off-box) is employed in the network. 



Policy evaluation against an 
orvbox database 



\ 




Legend 

A: A client connected to the ProxySG. 

B: ProxySG content filtering solution (conftent filter vendor + Blue Coat policy). 
C: Web Content. 



Process Flow 

1: (Blue arrow) The client requests a Web page. 

2: The ProxySG checks the requested URL against the content filtering database to determine 
the categorization. 

3: After the URL is categorized, the policy engine determines if the URL is allowable or ? not. 
4: (Blue arrow) The URL is allowed and the request continues to its destination. 

5. (Red arrow) The policy denies the request and returns a message concerning? corporate 
Web compliance. 



Figure 2-1. Web Content Filtering Process Flow (On-box or Off-box) 



Blue Coat Web Content Filtering Solutions 

The SG appliance offers the following content filtering options, any of which you can use 

separately or simultaneously: 

□ Using Blue Coat Web Filter (BCWF), an on-box content filtering database maintained 
by Blue Coat, which also offers dynamic category-rating abilities. For example, if a 
URL is not found in the on-box database, BCWF can attempt to categorize it 
dynamically, in real time. 

□ Uploading your custom content filtering database to the SG appliance. You would 
create your own local database file in the same way that you create policy files, except 
that only define category statements are allowed in the local database. 

□ Using a currently supported third-party content filtering vendor database. See 
"Section E: Configuring a Third-Party Vendor" on page 28. 

□ Enabling the Internet Watch Foundation (IWF) database. See "Section D: Configuring 
Internet Watch Foundation" on page 24. 



Note: For information about the IWF, visit their Web site at http:/ / www.iwf.org.uk/. 
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About Blue Coat Web Filter 

Blue Coat Web Filter (BCWF) is a hybrid solution combining an extremely comprehensive 
on-box URL database with a service that can provide real-time categorization of unlisted 
URLs. For more information about real-time rating and categorization of URLs, see 
"About Dynamic Real-Time Rating" on page 12. 

A world-wide network of servers allows the SG appliance to expediently update the 
master BCWF database. For information about BCWF automatic updating feature and 
scheduling updates, see "Specifying a Custom Time Period to Update Blue Coat Web 
Filter" on page 16. 



Note: BCWF supports many languages. Refer to the Blue Coat Release Notes for this 
release for the most up-to-date list of supported languages. 



About Dynamic Real-Time Rating 

Dynamic Real-Time Rating (DRTR) provides real-time analysis and content categorization 
of requested Web pages to solve the problem of new and previously unknown, 
uncategorized URLs — those not in the database. 

When a user requests a URL that has not already been categorized by the BCWF database 
(for example, a brand new Web site), the SG appliance dynamic categorization service 
analyzes elements of the requested content and assigns a category or categories. The 
dynamic service is consulted only when the installed BCWF database does not contain 
sufficient category information for a requested URL. 



Note: If the category returned by this service is blocked by policy, the offending material 
never enters the network in any form. 



About the DRTR Process 

Dynamic analysis of content is performed on a remote network service and not locally on 
the SG appliance. There is a very minimal amount of bandwidth used for the round-trip 
request and response, and a slight amount of time waiting for the service to provide 
results. The service is only consulted for URLs that cannot be locally categorized and 
results are cached on the SG appliance, so the user experience is generally not affected. To 
avoid any amount of user-request latency and to defer categorization, set DRTR to run in 
background mode. For more information, see "Configuring Dynamic Real-Time Rating" on 
page 17. 

The following diagram illustrates BCWF content filtering flow when DRTR is employed. 
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Legend 

A: A client connected into the ProxySG. 

B: ProxySG with BCWF content filtering and DRTR enabled. 

C: DRTR server. 

D: Web content. 

Process Flow 

1: (Blue arrow) Client 1 requests a Web page. 

2: The ProxySG checks the requested URL against the BCWF database for 
categorization. No match is found. 

3: The remote Dynamic Rating Service accesses and analyzes the requested site, 
categorizes the content. 

4: After the URL is categorized, the policy engine determines if the URL is allowable 
or not. 

5: (Blue arrow) The URL is allowed and the request continues to its destination for 
full retrieval. 

6. (Red arrow) The policy denies the request and returns a message concerning 
corporate Web compliance. 

Figure 2-2. BCWF with DRTR Content Employed 
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Section B: Configuring Blue Coat Web Filter 

This section describes how to select and configure Blue Coat Web Filter (BCWF), how to 
schedule a custom database update schedule, and how to change DRTR settings. 



Important: BCWF requires a valid license provided by Blue Coat. Refer to the 
Licensing chapter in Volume 1: Getting Started. 



Selecting Blue Coat Web Filter 

To select Blue Coat Web Filter: 

1. Select Configuration > Content Filtering > General. 



General 

r Providers 



Provider 


Enable 


Lookup mode 


Local Database: 


□ 


0 Always O Uncategorized 


Internet Watch Foundation: 


□ 


0 Always O Uncategorized 


Blue Coat Web Filter: 


0 


0 Always 0 Uncategorized 


3rd-party database: 


None 


0 Always Q Uncategorized 



- Options 

0 Enable Category Review Message in Exceptions 

- Diagnostics 

1 View Categories | view available categories 

URL: | |[ Test | 



2. Select Enable for Blue Coat Web Filter. 

3. Select the Lookup Mode. 

a. The default is Always, which specifies that BCWF will always be consulted for 
category information. 

b. Uncategorized specifies that the lookup is skipped if the URL has already been 
found in policy, a Local database, or the Internet Watch Foundation (IWF) 
database. 

4. (Optional) In the Options section, select Enable Category Review Message in 
Exceptions. This adds a link to the default content filter exception page that can be 
used to request review of the categories assigned to a blocked URL. 

Two substitutions ($ (exception_category_review_url) and 

$ (exception_category_review_message) ) are automatically appended to the help 
element of all exception definitions. For information on using the 
$ (except ion. help) element, refer to Volume 6: VPM and Advanced Policy. 
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Note: The substitution values are empty if the database was not consulted for 
categorization or if the categorization process failed due to an error. 



5. Click Apply to commit the changes to the SG appliance. 



Note: If this is the first time you enabled BCWF, a small database that contains the 
category list is downloaded, allowing immediate policy creation. 

No username or password is required during the trial period (60 days). To download 
the database on demand or on a schedule, you must configure BCWF service. 



Configuring Blue Coat Web Filter 



To configure Blue Coat Web filter: 

1. Select Configuration > Content Filtering > Blue Coat. 



2 . 



3. 



Blue Coat Web Filter 



Dynamic Categorization (DRTR) 



Download - 

Username: 



admin 



Change Password 



Change the download password 



URL: 



https: //list, bluecoat. com/bcwf/activity/download/bcwf. db 



Set to default 



Download now 



View Download Status 



0 Automatically check for updates 

Only between the hours of 



and 



When you subscribed to BCWF Service, you received a username and password for 
access to download updates. (If you are in the trial period, no username or password 
is required.) 

a. In the Username field, enter your username. 

b. Click Change Password. The Change Password dialog displays. 

c. Enter your password and click OK. 

Download the database: 

a. The default database download location displays in the URL field. 



Note: Only enter a new URL if instructed. Otherwise, accept the default. 



4. Click Download Now. The Download Status dialog displays, stating that a download 
has started. 
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a. 

b. 




Click Close to close the Download status dialog. 

To view the download log, click View Download Status. A new browser 
window opens, displaying the download log. 



Download log: 

Blue Coat download at: 2007/06/07 17:40:42-0400 

Downloading from https://list. bluecoat . com/bcwf /activity/ download/ 
bcwf . db 

Requesting differential update 
Differential update applied successfully 

84103448 

Wed, 07 Jun 2007 08:11:51 UTC 
Fri, 07 Jul 2007 08:11:51 UTC 
2005040 



Download size: 
Database date: 
Database expires : 
Database version: 



c. When you are finished viewing the download log, close the browser window. 



5. Click Apply to commit the changes to the SG appliance. 



Specifying a Custom Time Period to Update Blue Coat Web Filter 

The SG appliance checks for updates to the database several times an hour. When an 
update is available, it is automatically downloaded and applied. Typically, an update 
contains only the information that has changed. 

You can prevent this automatic check entirely by disabling automatic updates. You can 
also restrict the checks to occur only within a specific time period. For example, you can 
choose to check for updates only between the hours of 8 am and 11 pm. The time frame is 
always local time. 



Note: When the database is downloaded, a log is available that includes detailed 
information about how the database was updated. You can view the download log in the 
Management Console by clicking View Download Status on the BCWF tab, selecting 

Statistics > Advanced > Content Filter Service, or in the CLI (SGOS#(config) show 
content-filter status). 



To specify a custom time period for updates: 

1. Select Configuration > Content Filtering > Blue Coat. The Automatically Check for 
Updates check box is selected by default. 
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a. 

b. 



2. Click Apply to commit the changes to the SG appliance. 

Configuring Dynamic Real-Time Rating 

By default, DRTR is enabled and configured to categorize un-categorized URLs. If this 
service is causing significant delays to enterprise Web communications, you can run the 
service in the background or disable the feature. 

About Proxy Chaining Support for DRTR 

The SG appliance allows you to forward BCWF DRTR requests through upstream proxy 
servers and SOCKS gateways, which eliminates the requirement for the SG appliance to 
have direct connection to back-end servers. 

Forwarding Hosts and Groups 

You can specify the alias of a forwarding host or group that has already been defined. If 
you want the DRTR requests to be forwarded through an upstream HTTP proxy, 
configure a forwarding host that is defined as a proxy and has an HTTP port set. Then 
select that forwarding host in the DRTR configuration. 



Blue Coat Web Filtei 



Dynamic Categorization (DRTR) 



r Download - 

Username: 



admin 



Change Password 



Change the download password 



URL 



https: //list, bluecoat. com/bcwf/activity/download/bcwf. db 



Set to default 



Download now 



View Download Status 



0 Automatically check for updates 

0 Only between the hours of 



08:00 v 



and 



23:59 v 



Select the Only between the hours of check box. The time frame is local time. 
Click the arrows to view the drop-down lists, and set the time period for your 
update schedule. For example, to check for updates between the hours of 8 
am and midnight, set the first box to 08:00 and the second box to 23:59. 



Important: Do not define your proxy as a server. An attempt to configure proxy 
chaining using a server results in an error. 



SOCKS Gateways 

When you use proxy chaining to forward DRTR requests through an upstream SOCKS 
gateway, you must configure the SOCKS gateway. 
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If both a forwarding host or group alias and a SOCKS gateway are specified in the proxy 
chain, the SG appliance attempts the connection through the SOCKS gateway to the 
forwarding target. 

Configuring DRTR 

Complete the following procedures to configure DRTR. Note that Enable Dynamic 
Categorization (DRTR) is enabled by default. 

To configure DRTR: 

1. Select Configuration > Content Filtering > Blue Coat > Dynamic Categorization (DRTR). 



Blue Coat Web Filter Dynamic Categorization (DRTR) 

0 Enable Dynamic Categoric 



Dynamic Categorization settings 

Default Mode: 

O Do not categorize dynamically 
O Categorize dynamically in the background 
® Categorize dynamically in real-time 



Forwarding target: 
SOCKS gateway target: 



none 



none 



Categorize dynamically in real-time is enabled by default. If DRTR is disabled, the SG 
appliance does not contact the service when no category is found for a URL in the 
database, and all Dynamic Categorization properties specified in policy are ignored. If 
DRTR is enabled for BCWF, it is only invoked while BCWF is in use. 



2. Select one of the following settings: 

a. Do not categorize dynamically. The loaded database is consulted for category 
information. URLs not found in the database show up as category none. 

Dynamic categorization is still possible, but only occurs when explicitly 
invoked by policy. 

b. Categorize dynamically in the background. In background mode, after a call is 
made to the dynamic categorization service, the URL request immediately 
proceeds without waiting for the external service to respond. The system 
category pending is assigned to the request, indicating that the policy was 
evaluated with potentially incomplete category information. 

The results of DRTR are entered into a categorization cache (as are the results of 
real-time requests). This cache ensures that any subsequent requests for the same 
or similar URLs can be categorized quickly, without needing to query the external 
service again. 

c. Categorize dynamically in real-time (default). The advantage of real-time mode 
categorization is that Blue Coat policy has access to the results, allowing 
policy decisions to be made immediately upon receiving all available 
information. 



3. Click Apply to commit the changes to the SG appliance. 
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About DRTR States 

DRTR has three states: 

□ Enabled: The service attempts to categorize unrated Web sites. 

□ Disabled: If the service is disabled, the SG appliance does not make any contact with 
the service, regardless of any installed policy. 

□ Suspended: If BCWF license expires and DRTR is enabled, the service enters a 
suspended state; during this time the SG appliance does not make contact with the 
service, regardless of any installed policy. After BCWF license is updated, DRTR 
returns to enabled status. 

To view DRTR status (CLI only): 

At the (conf ig) prompt, enter the following command: 

SG0S# (config content-filter) view 
Provider: Blue Coat 
Dynamic Categorization: 

Service: Enabled/Disabled/Suspended < one state is displayed 



Diagnostics 

Diagnostics allows you to see all categories available for use in policy or test a URL 
against the database. Categories are not displayed for a vendor or local database if no 
database has been downloaded. 



To see all available categories: 

1. On the Configuration > Content Filtering > General page, click View Categories. 

2. To see what categories a Web site is assigned by your current configuration, enter the 
URL into the URL field and click Test. 



Related CLI Syntax to Manage the BCWF Database 

□ To enter configuration mode: 

SGOS# (config) content- filter 



□ The following subcommands are available: 



SGOS# (config content-filter) 

SGOS# (config content-filter) 

uncategorized} 

SGOS# (config content-filter) 
SGOS# (config content-filter) 



provider bluecoat {enable | disable} 
provider bluecoat lookup-mode {always 



categories 
bluecoat 

SGOS# (config bluecoat) download {all-day | auto | between-hours | 
encrypted-password | get-now | password | url | username} 

SGOS# (config bluecoat) service {enable [ disable} 

SGOS# (config bluecoat) service {forward {none | host_or_group_alias } 

mode {background | realtime | none} | socks-gateway {none | 

gateway_alias } } 

SGOS# (config bluecoat) no download 
SGOS# (config bluecoat) {exit | view} 

SGOS# (config content-filter) test-url url 
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Section C: Configuring a Local Database 

This section describes how to select and refer to a local database and how to schedule the 
database update schedule. 

Selecting the Local Database and Downloading the Database 

Two main reasons to use a local database instead of a policy file for defining categories 
are: 

□ A local database is more efficient than policy if you have a large number of URLs. 

□ A local database separates administration of categories from policy. This separation is 
useful for three reasons: 

• It allows different individuals or groups to be responsible for administrating the 
local database and policy. 

• It keeps the policy file from getting cluttered. 

• It allows the local database to share categories across multiple boxes that have 
different policy. 

However, some restrictions apply to a local database that do not apply to policy 
definitions: 

□ No more than 200 separate categories are allowed. 

□ Category names must be 32 characters or less. 

□ A given URL pattern can appear in no more than four category definitions. 

You can use any combination of the local database, policy files, or the VPM to manage 
your category definitions. See "Applying Policy to Categorized URLs" on page 35 for 
more information. You can also use both a local database and a third-party vendor for 
your content filtering needs. 



Note: Blue Coat recommends locating your local database on the same server as any 
policy files you are using. 



To configure local database content filtering: 

1. Select Configuration > Content Filtering > General. 
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General 

r Providers 



Provider 


Enable 


Lookup mode 


Local Database: 


0 


0 Always 0 Uncategorized 


Internet Watch Foundation: 


□ 


©Always O Uncategorized 


Blue Coat Web Filter: 


□ 


©Always O Uncategorized 


3rd-party database: 


None 


© Always © Uncategorized 



- Options 

| | Enable Category Review Message in Exceptions 

- Diagnostics 

[ View Categories | view available categories 

URL: | |[ Test | 



2. Select Local Database. 

3. Select the Lookup Mode. 

a. The default is Always, which specifies that the Local database will always be 
consulted for category information. 

b. Uncategorized specifies that the lookup is skipped if the URL has already been 
found in policy. 

4. Click Apply to commit the changes to the SG appliance. 

5. Select Configuration > Content Filtering > Local Database. 

6. If the database is located on a server that requires a password for access, you must 
configure the SG appliance to use that password when accessing the database: 

a. Click Change Password. The Change Password dialog displays. 

b. Enter your password and click OK. 

7. Download the database: 

a. In the URL field, enter the location of the file to be downloaded. 

b. Click Download Now. The Download Status dialog displays. 

c. To view a download log, click Close to close the Download Status dialog, and 
then click View Download Log. 

Download log: 

Local database download at: 2007/06/07 17:40:42-0400 
Downloading from ftp : //1 . 1 . 1 . l/list-1000000-cat . txt 
Download size: 16274465 

Database date: Wed, 07 Jun 2007 08:11:51 UTC 
Total URL patterns: 1000000 
Total categories: 10 

d. Click OK. 

8. Click Apply to commit the changes to the SG appliance. 
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Future Downloads 

You can return to this screen at any time and download a database on demand 
(independent of the automatic download feature, which is described in the next section). 

Ordinarily, the SG appliance checks to see if the database has changed before initiating a 
download. If the database is the most current, no download is performed. 



Note: Incremental updates are not available for Local Database. 



Specifying a Custom Time Period to Update a Local Database 

The SG appliance checks for updates to the database several times an hour. When an 
update is available, it is automatically downloaded and applied. Typically, an update 
contains only the information that has changed. 

You can prevent this automatic check entirely by disabling automatic updates. You can 
also restrict the checks to occur only within a specific time period. For example, you can 
choose to check for updates between 8 am and 11 pm only. The time frame is always local 
time. 



Note: When the database is downloaded, a log is available that includes detailed 
information about how the database was updated. You can view the download log in the 
Management Console by selecting Statistics > Advanced > Content Filter Service, or in the 

CLI (SGOS#(config) show content-filter status). 



To specify a custom time period for updates: 

1. Select Configuration > Content Filtering > Local Database. The Automatically check for 
updates check box is selected by default. 



0 Automatically check for updates 








0 Only between the hours of 


08:00 v 


and 


23:59 v 





2. Select the Only between the hours of check box. The time frame is local time. 

3. Click the arrows to view the drop-down lists and set the time period for your update 
schedule. For example, to check for updates between the hours of 8 am and midnight, 
set the first box to 08:00 and the second box to 23:59. 

4. Click Apply to commit the changes to the SG appliance. 

Diagnostics 

Allows you to see all categories available for use in policy or test a URL against the 
database. Categories are not displayed for a vendor or local database if no database has 
been downloaded. 

To see all available categories: 

1. On the Configuration > Content Filtering > General page, click View Categories. 

2. To see what categories a Web site is assigned by your current configuration, enter the 
URL into the URL field and Click Test. 
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Related CLI Syntax to Configure Content Filtering 

□ To enter configuration mode: 

SGOS# (config) content- filter 

□ The following subcommands are available: 

SGOS# (config content-filter) provider local 

SGOS# (config content-filter 
uncategorized} 

SGOS# (config content-filter 
SGOS# (config content-filter 



enable | disable} 
provider local lookup -mode {always 



categories 
local 

SGOS# (config local) download {all-day | auto | between-hours 
encrypted-password | get-now | password | url | username} 

SGOS# (config local) source 
SGOS# (config local) clear 

SGOS# (config local) {view | exit} 

SGOS# (config content-filter) test-url url 
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Section D: Configuring Internet Watch Foundation 

This section describes how to select the Internet Watch Foundation (IWF) database and 
how to schedule the database update schedule. 

The IWF is a non-profit organization that provides to enterprises a list of known child 
pornography URLs. The IWF database features a single category called IWF-Restricted, 
which is detectable and blockable using policy. IWF can be enabled along with other 
content filtering services. 

Selecting the IWF Database 

To configure IWF content filtering: 

1. Select Configuration > Content Filtering > General. 

General 

r Providers 



Provider 


Enable 


Lookup mode 


Local Database: 


□ 


® Always 


O Uncategorized 


Internet Watch Foundation: 


0 


® Always 


0 Uncategorized 


Blue Coat Web Filter: 


0 


® Always 


O Uncategorized 


3rd-party database: 


None v 


® Always 


0 Uncategorized 



- Options 

f~1 Enable Category Review Message in Exceptions 

- Diagnostics 

I View Categories | view available categories 

URL: | |[ Test | 



2. Select Internet Watch Foundation. 

3. Select the Lookup Mode. 

a. The default is Always, which specifies that IWF will always be consulted for 
category information. 

b. Uncategorized specifies that the lookup is skipped if the URL has already been 
found in policy or a Local database. 

4. Click Apply to submit the changes to the SG appliance. 

5. Select Configuration > Content Filtering > IWF. 
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6 . 



Internet Watch Foundation 



r Download - 

Username: 



<not required> 



Change Password 



Change the download password 



URL: 



https: //list, bluecoat. com/iwf /activity/download/iwf . db 



Set to default 



Download now 



View Download Status 



fvl Automatically check for updates 

Only between the hours of 



00:00 




and 


23:59 





Download the database: 

a. The default database download location displays in the URL field. 



Note: Only enter a new URL if instructed. Otherwise, accept the default. 



b. 



c. 



Click Download Now. The Download Status dialog displays. 

When the operation is complete, the dialog changes to indicate installation status. 
Click Results to see the IWF download log: 

Download log: 

IWF download at: 2007/06/07 17:40:42-0400 

Downloading from https://list. bluecoat . com/iwf / activity /download/ 
iwf . db 

Requesting differential update 
Differential update applied successfully 



d. 



Download size: 
Database date : 
Database expires : 
Database version: 

Click OK. 



84103448 

Wed, 07 Jun 2007 
Fri, 07 Jul 2007 
2005040 



08:11:51 UTC 
08:11:51 UTC 



7. Click Apply to commit the changes to the SG appliance. 



Future Downloads 

You can return to this screen at any time and download a database on demand 
(independent of the automatic download feature, which is described in the next section). 
Ordinarily, the SG appliance checks to see if the database has changed before initiating a 
download. If the database is the most current, no download is performed. If an 
incremental update is available on the server, then it is downloaded (an incremental 
update contains only the changes between the current installed version and the latest 
published version of the database, and is much smaller than a full copy of the database). 
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Specifying a Custom Time Period to Update IWF 

The SG appliance checks for updates to the categorization database several times an hour. 
When an update is available, it is automatically downloaded and applied. Typically, an 
update contains only the information that has changed. 

You can prevent this automatic check entirely by disabling automatic updates. You can 
also restrict the checks to occur only within a specific time period. For example, you can 
choose to check for updates between 8 am and 11 pm only. The time frame is always local 
time. 



Note: When the database is downloaded, a log is available that includes detailed 
information about how the database was updated. You can view the download log in the 
Management Console by selecting Statistics > Advanced > Content Filter Service, or in the 

CLI (SGOS#(config) show content -filter status). 



To specify a custom time frame for updates: 

1. Select Configuration > Content Filtering > IWF. The Automatically check for updates 

check box is selected by default. 



0 Automatically check for updates 



0 Only between the hours of 



08:00 v 



and 



23:59 v 



2. Select the Only between the hours of check box. The time frame is always local time. 

3. Click the arrows to view the drop-down lists and set the time period for your update 
schedule. For example, to check for updates between the hours of 8 am and midnight, 
set the first box to 08:00 and the second box to 23:59. 



4. Click Apply to commit the changes to the SG appliance. 



Diagnostics 

This allows you to test a URL against the database. 

To test a URL: 

1. Select Configuration > Content Filtering > General. 

2. Enter the URL into the URL field. 

3. Click Test. 

Related CLI Syntax to Manage IWF 

□ To enter configuration mode: 

SGOS# (config) content- filter 

□ The following subcommands are available: 

SGOS# (config content-filter) provider iwf {enable | disable} 
SGOS# (config content-filter) provider iwf lookup-mode {always | 
uncategorized} 

SGOS# (config content-filter) iwf 
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SGOS# (config iwf) download {all-day | auto | between-hours | 
encrypted-password | get-now | password | url | username} 

SGOS# (config iwf) no download 
SGOS# (config iwf) {exit | view} 

SGOS# (config content-filter) test-url url 
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Section E: Configuring a Third-Party Vendor 

This section describes how to select and configure your preferred third-party vendor and 
how to schedule the database update schedule. 

Most of the third-party vendor configuration tasks are identical, but there are a few with 
vendor-specific options. As you follow the procedures, you are prompted to proceed to 
another section for these vendors to continue the configuration. 

Selecting the Provider and Downloading the Database 

This procedure assumes you have a valid account with your preferred vendor. 

To configure third-party content filtering: 

1. Select Configuration > Content Filtering > General. 



General 



r Providers 

Provider 



Enable 

Local Database: 

Internet Watch Foundation: q 

□ 



Blue Coat Web Filter: 



3rd-party database: 



None 



Lookup mode 

0 Always O Uncategorized 
0 Always O Uncategorized 
0 Always O Uncategorized 
0 Always 0 Uncategorized 




2. From the 3rd-party database drop-down list, select your preferred vendor. 

3. Select the Lookup Mode. 

a. The default is Always, which specifies that the third-party database will 
always be consulted for category information. 

b. Uncategorized specifies that the lookup is skipped if the URL has already been 
found in policy, a Local database, the Internet Watch Foundation (IWF) 
database, or BCWF. 



4. (Optional and applicable for SmartFilter and BCWF only) Select Enable Category 

Review Message in Exceptions. This adds a link to the default content filter exception 
page that can be used to request review of the categories assigned to a blocked URL. 

Two substitutions ($ (exception_category_review_url) and 

$ (exception_category_review_message) ) are automatically appended to the help 
element of all exception definitions. For information on using the 
$ (except ion. help) element, refer to Volume 6: VPM and Advanced Policy. 
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Note: The substitution values are empty if the provider was not consulted for 
categorization, or if the categorization process failed due to an error. 



5. Click Apply to commit the changes to the SG appliance. 

6. Proceed accordingly: 

• SmartFilter: Continue with: "Configuring SmartFilter" on page 30. 

• Websense: Continue with: "Configuring Websense (on-box)" on page 31. 

• i-Filter, InterSafe, Optenet, Proventia, SurfControl, or Webwasher: Continue with 
Step 7. 

7. Select Configuration > Content Filtering > vendor: 



SurfControl 

Download 

Username: 



catalina56 



Change Password 



Change the download password 



URL: 



https: //list, bluecoat. com/surfcontrol/activity/download/surf control, db 



Set to default 



Download now 



View Download Status 



0 Automatically check for updates 

I I Only between the hours of 



and 



8. (This example uses Surf Control.) If the database is located on a server that requires a 
password for access, you must configure the SG appliance to use that password when 
accessing the database: 

a. Enter your third-party vendor username. 

b. Click Change Password. The Change Password dialog displays. 

c. Enter your password and click OK. 



9. Download the database: 

a. The default database download location is displayed in the URL field. If you 
have been instructed to use a different URL, enter it here (optional: click Set to 
default to always use this location). 

b. Click Download Now. The Installation Status dialog box displays. 

When the operation is complete, the dialog changes to indicate installation status. 

c. Click Results to see the completion message: 
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Download log: 

SurfControl download at: 2007/06/07 17:40:42-0400 
Downloading from https : //list . bluecoat . com/ ... /download/ 
surfcontrol . db 

Warning: Unable to determine current database version; requesting full 
update 

Download size: 8106572 

Database date: Wed, 07 Jun 2007 08:11:51 UTC 

Database expires: Fri, 07 Jul 2007 08:11:51 UTC 

Database version: 3 

d. Click OK. 

10. Click Apply to commit the changes to the SG appliance. 

11. Continue with "Specifying a Custom Time Period to Update a Third-Party Database" 
on page 33. 

Future Downloads 

You can return to this screen at any time and download a database on demand 
(independent of the automatic download feature, which is described in the next section). 

Ordinarily, the SG appliance checks to see if the database has changed before initiating a 
download. If the database is the most current, no download is performed. If an 
incremental update is available on the server, then it is downloaded (an incremental 
update contains only the changes between the current installed version and the latest 
published version of the database, and is much smaller than a full copy of the database). 

Configuring SmartFilter 

The SmartFilter database configuration screen contains unique options. 

Configure SmartFilter: 

1. Select Configuration > Content Filtering > SmartFilter: 



SmartFiltei 




2. Configure SmartFilter: 

a. In the License key field, enter the customer serial number assigned you by 
Secure Computing. 

b. In the Server field, the default server is displayed. If you have been instructed 
to use a different server, enter the hostname or IP address here. 

c. Click Download now. The SmartFilter Installation status dialog box displays 
with the message SmartFilter download in progress. 
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d. 



When the operation is complete, the dialog changes to indicate installation status. 
Click Results to see the completion message: 



Download log: 

SmartFilter download at: 2007/06/07 17:40:42-0400 
Checking incremental update 

Warning: Unable to open input control list 
Warning: Unable to open installed control list 
Downloading full control file 

SmartFilter download at: 19 June 2007 17:40:42-0400 
Downloading from http : //example . com/ .. .version=4 . 0 
Download size: 45854194 

Database version: 95 

Database date: Wed, 07 Jun 2007 08:11:51 UTC 

Database expires: Fri, 07 Jul 2007 08:11:51 UTC 



Note: The first time you download a SmartFilter database, warnings appear in 
the results message under Checking incremental update. These are 
expected, and represent the normal process of checking to see if an incremental 
update is possible. The next time you download a SmartFilter database, the SG 
appliance checks the previously downloaded database, and downloads only 
what is necessary to keep the database current. 



3. Click Apply to commit the changes to the SG appliance. 

4. Continue with "Specifying a Custom Time Period to Update a Third-Party Database" 
on page 33. 

Configuring Websense (on-box) 

The Websense database configuration screen contains unique options. 



Note: Websense databases contain a category called User-Defined to support locally- 
specified categorizations on other platforms. Do not use this category on the SG 
appliance. Instead, define your own categories through the SG appliance and assign 
URLs to them using Policy (see page "Defining Custom Categories in Policy" on page 
38), or using a local category database (refer to Volume 4: Securing the Blue Coat SG 
Appliance). 



To configure Websense (on-box): 

1. Select Configuration > Content Filtering > Websense. 
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Websense 





0 Always apply regular expressions to URLs 



2. In the License Key field, enter the key assigned to you for downloading the Websense 
database. 

3. In the Server field, the default server is displayed. If you have been instructed to use a 
different server, enter the hostname or IP address here. 

4. (Optional) In the Contact e-mail field, enter an e-mail address by which Websense can 
contact you. 

5. Click Download now. The Websense Installation status dialog box displays with the 
message Websense download in progress. 

6. Click Apply to view the Websense download log: 

Download log: 

Websense download at: 2007/06/21 17:40:42-0400 
No database is currently installed 
Attempting full download 
Downloading from download.websense.com 
Processing download file 
Retrieved full update 
Download size: 147079939 

Database version: 82300 

Database date: 2007/06/21 

License expires: 2007/07/21 08:11:51 UTC 
License max users: 25 

Licenses in use : 0 

Library version: 3. 2. 0.0 [BCSI rev A] 

7. Click OK. 

8. (Optional) Always apply regular expressions to urls: 
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Select this option to force an additional regular expression lookup for each URL to be 
categorized. Normally, regular expression lookups are done only when no category is 
found in the Websense database. If this option is selected, regular expression lookups 
always occur, even for categorized URLs. Selecting this option can cause a significant 
reduction in lookup performance, but allow certain sites (such as translation, search 
engine, and link-cache sites) to be categorized more accurately. 

9. To use the Websense Reporter, you must enable the Websense Integration Service. 

a. In the Integration Service Host field, enter the Integration Service Host IP 
(which has the same IP address as the Websense Log Server). 

b. In the Port field, specify the port of the Websense Integration Service. It must 
be between 0 and 65535 and match the port selected on the Integration Service 
host. 

c. Select Enabled to enable the service. 

d. (Optional) Select Log forwarded client address. Normally, the SG logs the 
actual client IP address to the Websense Reporter log. You can configure the 
SG to log an address obtained from the X-Forwarded-For HTTP Header (if 
present and valid) instead. This is useful in some specific network topologies. 



Note: The Policy Server, the Log Server, and Reporter must be installed and 
enabled on your PC before Reporter can be used. For information on Websense 
products, refer to: http:/ / www.websense.com/support/ documentation/ 
integrationservice. 

You must also set up access logging on the SG appliance with Websense as the 
client. For more information on configuring a Websense access logging client, 
refer to Volume 8: Access Logging. 



10. Click Apply to commit the changes to the SG appliance. 

11. Proceed to the "Specifying a Custom Time Period to Update a Third-Party Database" 
on page 33. 

Specifying a Custom Time Period to Update a Third-Party Database 

The SG appliance checks for updates to the database several times an hour. When an 
update is available, it is automatically downloaded and applied. Typically, an update 
contains only the information that has changed. 

You can prevent this automatic check entirely by disabling automatic updates. You can 
also restrict the checks to occur only within a specific time period. For example, you can 
choose to check for updates between 8 am and 11 pm only. The time frame is always local 
time. 



Note: When the database is downloaded, a log is available that includes detailed 
information about how the database was updated. You can view the download log in the 
Management Console by selecting Statistics > Advanced > Content Filter Service, or in the 

CLI (SGOS#(config) show content-filter status). 



To specify a custom time period for updates: 

1. Select Configuration > Content Filtering > vendor. The Automatically check for updates 

check box is selected by default. 
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0 Automatically check for updates 



0 Only between the hours of 



08:00 v 



and 



23:59 v 



2. Select the Only between the hours of check box. The time frame is always local time. 

3. Click the arrows to view the drop-down lists and set the time period for your update 
schedule. For example, to check for updates between the hours of 8 am and midnight, 
set the first box to 08:00 and the second box to 23:59. 



4. Click Apply to commit the changes to the SG appliance. 



Diagnostics 

This allows you to see all categories available for use in policy or test a URL against the 
database. Categories are not displayed for a vendor or local database if no database has 
been downloaded. 



To see all available categories or test a URL: 

1. On the Configuration > Content Filtering > General page, click View Categories. 

2. To see what categories a Web site is assigned by your current configuration, enter the 
URL into the URL field. 

3. Click Test. 



Related CLI Syntax to Manage Third-Party Vendor Content Filtering 

□ To enter configuration mode: 

SGOS# (config) content- filter 



| intersafe | optenet 
websense I webwasher) 



The following subcommands are available: 

SGOS# (config content-filter) {i-filter 
proventia | smartfilter | surfcontrol | 

SGOS# (config content-filter) provider 3rd-party lookup-mode {always | 
uncategorized} 

SGOS# (config content-filter) provider 3rd-party vendor 

SGOS# (config vendor ) download {all-day | auto | between-hours | 
encrypted-password | get-now | password | url | username} 

SGOS# (config vendor ) view 

SGOS# (config smartfilter) download license license_key 

SGOS# (config smartfilter) download server ip_address_or_hostname 

SGOS# (config smartfilter) allow-rdns | no allow-rdns 

SGOS# (config smartfilter) use-search-keywords 

SGOS# (config websense) download email-contact e-mail_address 

SGOS# (config websense) download server ip_address_or_hostname 

SGOS# (config websense) download license license_key 

SGOS# (config websense) {always -apply- regexes | no always-apply- 
regexes } 

SGOS# (config websense) integration- service {enable | disable} 

SGOS# (config websense) integration- service host ip_address_or_hostname 
SGOS# (config websense) integration- service port {0-65535} 
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Section F: Applying Policy 

This section discusses the interaction between content filtering categories and the 
application of control policies. 

Applying Policy to Categorized URLs 

Policy is applied to categories the same way as individual URLs: create policies that 
restrict, allow, and track access. Policy rules are created by composing Blue Coat Content 
Policy Language (CPL) or with the Visual Policy Manager (VPM). 



Note: If you have extensive category definitions. Blue Coat recommends that you put 
them into a local database rather than into a policy file. The local database stores custom 
categories in a more scalable and efficient manner, and separates the administration of 
categories from policy. See "Section C: Configuring a Local Database" on page 20. 



The policy trigger category= is used to test the category or categories assigned to the 
request URL, and thus make a policy decision. For example, to block all requests for URLs 
that are categorized as Sports: 

DENY category=Sports 

The following example demonstrates a condition that is true when a request contains the 
Websense content categories Sexuality and Drugs: 

<proxy> 

category= (sexuality , drugs) 

You can block multiple categories with a single rule: 

category= (Sports , Gambling, Shopping) exception ( content_fil ter_denied) 

In this example, three categories are blocked and instead the predefined exception page 
content_filter_denied is served; by default this indicates that the request was denied 
due to its content and specifies the categories found. 

The following example shows a condition that includes an extensive number of 
categories: 

category= (Abortion, Activist, Adult, Gambling, Illegal, Hacking, 
Militancy, Racism, Shopping, Tasteless, Violence, Weapons) 

URLs that are not categorized are assigned the system category none. This is not an error 
condition; many sites (such as those inside a corporate intranet) are unlikely to be 
categorized by a commercial service. Use category=none to detect uncategorized sites 
and apply relevant policy. The following example disallows access to uncategorized sites 
outside of the corporate network: 

define subnet intranet 

10.0.0.0/8 ; internal network 
192.168.123.45; external gateway 
end 

<proxy> 

; allow unrestricted access to internal addresses 
ALLOW url . address=intranet 

; otherwise (internet), restrict Sports, Shopping and uncategorized 
sites 

DENY category= (Sports , Shopping, none) 
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Such category tests can also be combined with other types of triggers to produce more 
complex policy, such as: 

□ Restrict access by category and time: block sports from 6 am to 6 pm: 
category=Sports time=0600 . . 1800 DENY 

□ Restrict by category and user identity: only members of the group Sales are permitted 
to visit Shopping sites: 

category=Shopping group=! Sales DENY 

□ Require special authentication for access to certain categories: 
category=Hacking authenticate ( restricted_realm ) 

where restricted_realm is an authentication realm you have configured. 

□ Log certain types of access: 

category=Adult action. Log_adult_site_access (yes) 

where Log_adult_site_access is a policy action defined elsewhere that records 
extra information about this request in the event log. 

Typically, category= can be used in policy anywhere that a basic URL test can be used. 
Refer to Volume 10: Blue Coat SG Appliance Content Policy Language Guide for more details. 

Depending on which provider you have selected and whether you have defined any of 
your own categories in policy (see "Defining Custom Categories in Policy" on page 38), 
you have a number of possible category names that can be used with category=. To 
review the valid category names, use the categories CLI command or click View 
Categories in the Management Console: Configuration > Content Filtering > General. 

The category= expressions are normally put in <Proxy> Layers (VPM: Web Access 
Layers) because the goal of content filtering policy is to control requests from users. They 
can also be used in <Cache> (VPM: Web Content Layers) Layers. Either way, policy is 
enforced on all user requests. 

It is possible for an attempt to categorize a URL to fail — for example, if no database is 
loaded, your license is expired, or if a system error occurs. In such a case, the category is 
considered unavailable and triggers such as: 

category=Sports 

are false, even if the URL is actually a sports site, because the SG appliance is unable to 
determine the category. When the policy depends on the category of a URL, you do not 
want such errors to inadvertently allow ordinarily restricted content to be served by the 
SG appliance. You can control how the SG appliance treats these situations with the 
condition: 

category=unavailable 

which is true in these cases. In continuing with the example, to make sure that Sports is 
always blocked, even when errors occur (this is a mode of operation called fail-closed), use 
a rule such as: 

category= ( sports , unavailable) exception (name_of_exception page) 

This rule is true if the category is sports or if the category could not be determined, and in 
either case the proper exception page is served instead of the restricted content. 

The category unlicensed is assigned in addition to unavailable when the failure to 
categorize occurred because of license expiry. That can be caused by the expiration of 
your Blue Coat license to use content filtering, or because of expiration of your license 
from the provider. You can use 
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category=unli censed 

to detect this situation as a distinct case from other causes of unavailability. 

You can also use this feature with custom exception pages (refer to Volume 6: VPM and 
Advanced Policy ): 

<proxy> 

category=sports time=0800. .1800 exception ( sports_during_bus_hrs) 
cat egory=unli censed exception ( contact_admin_re_license ) 
category=unavailable exception ( content_filter_unavailable) 

where sports_during_bus_hrs is a custom exception page you have created to 
respond to requests for Sports pages between 8 am and 6 pm local time. 

contact_admin_re_licen.se is another page that instructs the user to inform the 
administrator about license expiry, and is served if a license check fails. When the 
category is unavailable for some other reason, the pre-defined exception 
(content_filter_unavailable) is served. 

The most common reason (other than license expiry) why categories are unavailable is 
that a provider is selected but no database is installed. Barring hardware or network 
problems that might cause a downloaded database to become corrupted and unreadable, 
it is unlikely that the database will suddenly become unavailable. 

To define policies on the SG appliance, use either the VPM or manually edit Policy files. 
Content filtering policies are usually found in <Proxy> and <Cache> layers. 

If you are using content filtering to manage a type of content globally, create these rules in 
the < Cache > layer. 

However, if your content filtering policy is dependent on user identity or request 
characteristics, create these rules in the < Proxy > layer. 

Using Content Filtering Vendors with Blue Coat Policies 

The SG appliance provides the ability to define flexible Web access and control policies. 
With content filtering, you can set up policies to provide a customized level of Web-site 
access control. With vendor-based content filtering, these policies use and can supplement 
vendor categories. By supplementing content filtering vendor categories, you can further 
refine the type of content filtering the SG appliance performs. For example, if Travel is a 
vendor-defined content category, you can define a policy that allows only Human 
Resources staff to access travel sites. You can define policies that filter by a variety of 
conditions, including category, protocol (including MMS and RTSP streaming protocols), 
time of day, and user or user groups. 
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Example 

Policy: Limit employee access to travel Web sites. 

The first step is to rephrase this policy as a set of rules. In this example, the model of a 
general rule and exceptions to that rule is used: 

□ Rule 1 : All users are denied access to travel sites 

□ Rule 2: As an exception to the above. Human Resources users are allowed to visit 
Travel sites 

Before you can write the policy, you must be able to identify users in the Human 
Resources group. You can do this with an external authentication server, or define the 
group locally on the SG appliance. For information on identifying and authenticating 
users, refer to Volume 4: Securing the Blue Coat SG Appliance. 

In this example, a group called human_resources is identified and authenticated through 
an external server called my_auth_server. 

This then translates into a fairly straightforward policy written in the local policy file: 

<proxy> 

; Ensure all access is authenticated 
Authenticate (my_auth_server ) 

<proxy> 

; Rule 1: All users denied access to travel 
DENY category=travel 
<proxy> 

; Rule 2 : Exception for HR 

ALLOW category=travel group=human_resources 
DENY category=sites 

Example 

Policy: Student access to Health sites is limited to a specified time of day, when the Health 
100 class is held. 

This time the policy contains no exceptions: 

□ Rule 1: Health sites can be accessed Monday, Wednesday, and Friday from 10-llam. 

□ Rule 2: Health sites can not be accessed at other times. 

define condition Health_class time 
weekday=(l, 3, 5) time=1000 . . 1100 

end 

<proxy> 

; 1) Allow access to health while class in session 
ALLOW category=health condition=health_class_time 
; 2) at all other times, deny access to health 
DENY category=health 

Defining Custom Categories in Policy 

You can use CPL to create your own categories and assign URLs to them. This is done 
with the define category construct (for more complete information on the define 
category construct, refer to Volume 10: Blue Coat SG Appliance Content Policy Language 
Guide). To add URLs to a category, list them in the definition. You only need to specify a 
partial URL: 

□ hosts and subdomains within the domain you specify will automatically be included 
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□ if you specify a path, all paths with that prefix are included (if you specify no path, the 
whole site is included) 

Example: 

define category Grand_Canyon 
kaibab . org 

www2 . nature . nps . gov/ air/webcams/parks /grcacam 
nps . gov/grca 
grandcanyon . org 
end 

Any URL at kaibab . org is now put into the Grand_Canyon category (in addition to any 
category it might be assigned by a provider). Only those pages in the /grca directory of 
nps . gov are put in this category. 

Nested Definitions and Subcategories 

You can define subcategories and nest category definitions by adding a category=<name> 
rule. To continue the example, you could add: 

define category Yellowstone 
yellowstone-natl -park . com 
nps .gov/yell/ 
end 

define category National_Parks 

category=Grand_Canyon; Grand_Canyon is a subcategory of 
National_Parks 

category=Yellowstone ; Yellowstone is a subcategory of National_Parks 
nps.gov/yose; Yosemite - doesn't have its own category (yet) 
end 

With these definitions, pages at kaibab . org are assigned two categories: Grand_Canyon 
and National_Parks. You can add URLs to the Grand_Canyon category and they are 
automatically added by implication to the National_Parks category as well. 

Multiple unrelated categories can also be assigned by CPL. For example, by adding: 

define category Webcams 

www2 . nature . nps . gov/ air/webcams/parks /grcacam 
end 

the URL, http : / /www2 . nature . nps . gov/ air /webcams /parks /grcacam/ grcacam . htm, 
will have three categories assigned to it: 

□ Grand_Canyon (because it appears in the definition directly) 

□ National_Parks (because Grand_Canyon is included as a subcategory) 

□ Webcams (because it also appears in this definition) 

However, the other sites in the Grand_Canyon category are not categorized as Webcams. 
This can be seen by testing the URL (or any other you want to try) clicking the Test button 
on the Management Console or the test-url command in the CLI. 

You can test for any of these categories independently. For example, the following 
example is a policy that depends on the above definitions, and assumes that your 
provider has a category called Travel into which most national park sites probably fall. 
The policy is intended to prevent access to travel sites during the day, with the exception 
of those designated National_Parks sites. But the Grand_Canyon webcam is an exception 
to that exception. 
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Example: 

<proxy> 

category=Webcams DENY 
category=National_Parks ALLOW 
category=Travel time =0800.. 1800 DENY 

Click the Test button on the Management Console or the test -url command in CLI to 
validate the categories assigned to any URL. This can help you to ensure that your policy 
rules have the expected effect (refer to "Configuring Policy Tracing" in Volume 10: Blue 
Coat SG Appliance Content Policy Language Guide). 

If you are using policy-defined categories and a content-filter provider at the same time, 
be sure that your custom category names do not coincide with the ones supplied by your 
provider. You can also use the same names — this adds your URLs to the existing 
categories, and extends those categories with your own definitions. For example, if the 
webcam mentioned above was not actually categorized as Travel by your provider, you 
could do the following to add it to the Travel category (for the purpose of policy): 

define category Travel ; extending a vendor category 

www2.nature.nps.gov/air/webcams/parks/grcacam/ ; add the GC webcam 
end 



Note: The policy definitions described in this section can also be used as 
definitions in a local database. See "Configuring a Local Database" on page 20 
for information about local databases. 



Notes 

□ When you use an expired database, the category unlicensed is assigned to all URLs 
and no lookups occur on the database. This can occur even if your download license 
with the database vendor is still valid, but you have not downloaded a database for a 
long time (databases expire after a certain number of days). You can view the date 
that your database expires (or expired) in the download log or by using the view 
command in the CLI. 

When you download a database, you can see the download log as soon as the 
download is complete. To see the download log when you download a database, click 
Results in the Installation Status dialog when the download is complete. 

To see the last download log without doing another download, enter the following 
CLI (config) commands: 

SGOS# (config) content- filter 

SGOS# (config content-filter) view 

□ When your license with the database vendor expires, you can no longer download. 
This does not have an immediate effect — you can still use the database you have for a 
period of time. But eventually, the database expires and you receive the category 
unlicensed, as described above. 

□ If HTTPS Intercept is disabled and a requested HTTPS host is categorized in a content 
filtering database, then filtering applies. However, if the request contains a path and 
the categorization relies on the host/ relative path, content filtering only filters on the 
host name because the path is not accessible. This might result in a different 
categorization than if the host plus path were used. 
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□ If you receive an error message when downloading a content filtering database, check 
the error message (in the Management Console, click Results on the Installation status 
dialog; in the CLI, the results message displays in the event of an error). If you see an 
error message such as ERROR: HTTP 401 - Unauthorized, verify that you entered your 
username and password correctly For example, the following error message was 
generated by entering an incorrect username and attempting to download a 
SmartFilter database: 

Download log: 

SmartFilter download at: Thu, 21 June 2007 18:03:08 
Checking incremental update 

Checking download parameters 
Fetching : http : / /example . com/ 

Warning: HTTP 401 - Unauthorized 
Downloading full control file 

SmartFilter download at: Thu, 21 June 2007 18:03:17 
Downloading from http://example.com/ 

Fetching : http : / /example . com/ 

ERROR: HTTP 401 - Unauthorized 
Download failed 
Download failed 
Previous download : 
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Section G: Configuring Websense Off-box Content Filtering 

This section describes how to configure the SG appliance to communicate with a separate 
Websense server to perform content filtering tasks. This involves creating an external 
service on the SG appliance. 

Note: The SG appliance supports Websense off -box server versions 4.4 and higher. 



To configure Websense Off-box: 

1. In the Management Console, select Configuration > External Services > Websense. 




2. Add a new service: 

a. Click New. The Add list item dialog displays. 

b. Enter a name for the service. This example uses WS_1 . 

c. Click OK to close the dialog and add the Websense service 

3. Click Apply to commit the changes to the SG appliance. 

4. Click Edit. The Edit Websense Service dialog displays. 
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5. Configure the service: 

a. From the Websense Version drop-down list, select the version. The default is 

4.4 and higher; you can also select 4.3. 

b. In the Host field, enter the hostname or IP address of the remote Websense 
server. 

c. In the Port field, enter the port number of the Websense server; or leave as is 
to accept the default (15868). 

d. In the Maximum connections field, enter the maximum number of 
connections. The range is a number from 1 to 65535. The default is 5. Blue 
Coat recommends that the setting not exceed 200. 

e. In the Receive Timeout (seconds) field, enter the number of seconds the SG 
Appliance waits for replies from the Websense server. The range is 60 to 
65535. The default timeout is 70 seconds. 

6. The following settings are optional: 

a. Fail open — If a default Websense service is selected (from the External 
Services > Websense tab), a connection error with the Websense server results 
in requests and responses proceeding, as the default Websense service is 
subjected to policy. 

b. Send: client address — Sends the client IP address to the Websense server. 

c. Send: Authenticated user — Sends user information to the Websense server. 

d. Serve exception page when content is blocked — If the requested content is 
defined by Websense as inappropriate, the client receives a page with 
information stating the content is blocked. When this option is selected, the 
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exception page originates from the SG Appliance; if not selected, the 
Websense server provides the exception page. 

7. Click OK to close the Websense dialog. To perform a health check on this service, see 
"Performing a Health Check on a Websense Off-box Service" on page 44. 

8. Click Apply to commit the changes to the SG appliance. 

9. (Optional) You can designate a default Websense service to use. On the Configuration 
> External Services > Websense tab, select a service from the Default service to use 
drop-down list. 

Because this is an external service feature, you can create service groups that contain two 
or more Websense services. Then you can point the ProxySG to the service group to allow 
for greater efficiency. See Chapter 4: "Configuring Service Groups" on page 77. 



Performing a Health Check on a Websense Off-box Service 

1. To perform a health check on the Websense service, click Health Check. The Confirm 
Health Check dialog displays. 




2. Make sure that you save changes to any open dialogs before proceeding. 

3. Click OK to perform the health check. When the health check is complete, the Health 
Check Results dialog displays information about the health check. 

4. Click Close to close the Health Check Results dialog. 



Related CLI Syntax to Configure Websense Off-box Content Filtering 

□ To enter configuration mode: 

SGOS# (config) external-services 



The following subcommands are available: 

SGOS# (config external - services ) create websense service_name 
SGOS# (config external - services ) {edit | delete} service_name 
SGOS# (config websense service_name) version {4.3 | 4.4} 

SGOS# (config websense service_name) host { hostname \ IP_address} 
SGOS# (config websense service_name) port port_number 
SGOS# (config websense service_name) max-conn number 
SGOS# (config websense service_name ) timeout timeout_seconds 
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SGOS# (config websense 
authenticated -user} 

SGOS# (config websense 
SGOS# (config websense 
SGOS# (config websense 
SGOS# (config websense 



service_name ) 

service_name) 

service_name) 

service_name) 

service_name) 



send {client-address | 

sense -categories 
apply -by -default 
fail-open 
test-url url 
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This chapter describes how to configure the SG appliance to interact with external 
Internet Content Adaptation Protocol (ICAP) clients and servers to provide content 
scanning and transformation. 

This chapter contains the following sections: 

□ "Section A: About Content Scanning" 

□ "Section B: Configuring SG Appliance ICAP Communications" 

□ "Section C: Creating ICAP Policy" 

□ "Section D: Managing Virus Scanning" 
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Section A: About Content Scanning 

This section provides conceptual information about anti-virus (AV) scanning and the SG 
appliance solution. 

When integrated with a supported ICAP server, such as the Blue Coat AV™, the SG 
appliance provides content scanning, filtering, and repair service for Internet-based 
malicious code. To eliminate threats to the network and to maintain caching performance, 
the SG appliance sends objects to the ICAP server for checking and saves the scanned 
objects in its object store. With subsequent content requests, the appliance serves the 
scanned object rather than rescanning the same object for each request. 

Determining Which Files to Scan 

In determining which files to scan, this integrated solution uses the content scanning 
server's filtering in addition to SG appliance capabilities. The following table describes 
the supported content types and protocols. 



Table 3-1 . Content Types Scanned By ICAP Server and the SG Appliance 



ICAP Server 

supported content types 


SG appliance 
supported protocols 


Unsupported content 
protocols 


All or specified file types, based on the file 
extension, as configured on the server. 

Examples: . exe (executable programs), . bat 
(batch files), . doc and . rtf (document files), 
and .zip (archive files); or specific MIME 
types. 


• HTTP objects 

• FTP objects (uploads 
and downloads) 

• Transparent FTP 
responses 


• Streaming content (for example, 
RTSP and MMS) 

• Live HTTP streams (for example, 
HTTP radio streams) 


HTTPS connections 
terminated at an SG 
appliance 


HTTPS connections tunneled 
through an SG appliance 



Whenever an object is requested or being refreshed and it was previously scanned, the SG 
appliance verifies whether the pattern file has been updated since it was last scanned. If it 
was, the object is scanned again, even if the content has not changed. If the content has 
changed, the object is rescanned. 

With the SG appliance, you can define flexible, yet enterprise-specific content scanning 
policies, which is discussed in the following two sections. 

About Response Modification 

The SG appliance sends the first part (a preview) of the object to the ICAP server that 
supports response modification. The object preview includes the HTTP request and 
response headers, and the first few bytes of the object. After checking those bytes, the 
ICAP server either continues with the transaction (that is, asks the SG appliance to send 
the remainder of the object for scanning) or sends a notification to the appliance that the 
object is clean and opts out of the transaction. 

The ICAP server features and configuration determine how scanning works, including the 
following: 
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□ Handling of certain objects, including those that are infected and cannot be repaired 

□ Whether to attempt to repair infected files 

□ Whether to delete infected files that cannot be repaired from the ICAP server's 
archive 

The following diagram illustrates the response modification process flow. 




Legend 

A: Client 1 — logged Into the SG appliance 

B; SG appliance with AV employed to scan responses, 

C: AV appliance (the ICAP server) 

D: The SG appliance policy engine. 



Process Flow 

1: (Blue arrow) Client 1 requests a Web page. 

2: The SG appliance retrieves the requested Web page from a content server. 

3 The SG appliance forwards the Web page (objects) to the AV appliance for content scanning The 
contents (possibly modified if exceptions occur) Is returned to the SG appliance. Clean content Is 
stored in the cache from which future requests are served 

4: Policy check. Evaluates how exceptions and other errors are processed. 

S: (Blue arrow) The content is clean and allowable and the request is allowed to continue to its 
destination for full retrieval. 

6 (Red arrow) A virus or other exception occurred and the client is notified with an HTTP message 



Figure 3-1. Response Modification Process Flow 

About Request Modification 

Request modification means the ICAP server scans contents that a client is attempting to 
send outside the network. This prevents unaware users from forwarding corrupted files 
or Webmail attachments. Request modification is also a method of content filtering and 
request transformation, which is used to protect network identification. Based on the 
results of the scan, the server might return an HTTP response to the client (for example, 
sports not allowed); or the client request might be modified, such as stripping a referrer 
header, before continuing to the origin content server. 



Note: Some ICAP servers do not support virus scanning for request modification, but 
support only content filtering. 
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The following diagram illustrates the request modification process flow. 




Legend 

A: Client 1 — logged Into the SG appliance 

B: SG appliance with AV employed to scan responses. 

C: AV appliance (the ICAP server). 



Process Flow 

1: (Blue arrow) Client 1 requests to send a Webmail with an attachment. 

2: The SG appliance forwards content to the AV appliance for scanning services (which can vary 
based on the ICAP server configuration). The AV appliance identifies a virus within the attachment 
and returns the results to the SG appliance. 

3 Client 1 receives a message that the infected attachment was identified and stripped, 



Figure 3-2. Request Modification Process Flow 

Returning the Object to the Blue Coat Appliance 

For response modification, the returned object can be the original unchanged object, a 
repaired version of the original object minus a virus, or an error message indicating that 
the object contained a virus. Each of these responses is configured on the ICAP server, 
independent of the appliance and the ICAP protocol. If the appliance receives the error 
message, it forwards the error message to the client and does not save the infected file. 



Note: For request modifiction, an object is never returned, regardless of whether it is 
infected or clean. 



Caching and Serving the Object 

After an object has been scanned and is determined to be cacheable, the SG appliance 
saves it and serves it for the subsequent content requests. When the appliance detects that 
the cached content has changed on the origin server, it fetches a fresh version, then 
forwards it to the ICAP server for scanning. If the SG appliance uses policies in the ICAP 
configuration, the policy applies to content fetches, distributions, refreshes, and 
pipelining fetches. 

For more information on policies, see "Section C: Creating ICAP Policy" on page 67. For 
more information on the <Cache> layer, refer to Volume 10: Blue Coat SG Appliance Content 
Policy Language Guide. 
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ICAP vl.O Features 

This section describes features of the ICAP vl.O protocol. 

Sense Settings 

The Sense Settings feature allows the SG appliance to query any identified ICAP server 
running vl.O, detect the parameters, and configure the ICAP service as appropriate. See 
"Creating an ICAP Service" on page 56. 

ISTags 

Am ICAP vl.O server is required to return in each response an ICAP header ISTag, which 
indicates the current state of the ICAP server. This eliminates the need to designate 
artificial pattern version numbers, as is required in v0.95. 



Note: Backing out a virus pattern on the ICAP server can revert ISTags to previous 
values that are ignored by the SG appliance. To force the SG appliance to recognize the old 
values, use the Sense Settings option, which is described in the configuration section. 



Persistent Connections 

New ICAP connections are created dynamically as ICAP requests are received (up to the 
defined maximum connection limit). The connection remains open to receive subsequent 
requests. If a connection error occurs, the connection closes to prevent more errors. 

Improving the User Experience 

Object scanning adds another operation to the user process of requesting and receiving 
Web content. Therefore, the user might experience extremely slightly noticeble delays 
during Web browsing as ICAP servers scan content. The SG appliance allows you to 
mitigate slower browse times and educate your users about what is occuring on their 
systems. This section describes those functionalities. 

About Patience Pages 

Patience pages are HTML pages displayed to the user if an ICAP content scan exceeds the 
specified duration (seconds). You can configure the content of these pages to include a 
custom message and a help link. Patience pages refresh every five seconds and disappear 
when object scanning is complete. 

Notes 

□ Patience pages are not compatible with infinite stream connections — or live content 
streamed over HTTP — such as a cam or video feed. ICAP scanning cannot begin until 
the object download completes. Because this never occurs with this type of content, 
the SG appliance continues downloading until the maximum ICAP file size limit is 
breached. At that point, the SG appliance either returns an error or attempts to serve 
the content to the client (depending on fail open/ closed policy). However, even when 
configured to fail open and serve the content, the delay added to downloading this 
large amount of data is often enough to cause the a user give up before reaching that 
point. 
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□ Patience pages are limited to Web browsers. 

About Data Trickling 

Patience pages provide a solution to appease users during relatively short delays in object 
scans. However, scanning relatively large objects, scanning objects over a smaller 
bandwidth pipe, or high loads on servers might disrupt the user experience because 
connection timeouts occur. To prevent such timeouts, you can allow data trickling to occur. 
Depending on the trickling mode you enable, the SG appliance either trickles — or allows 
at a very slow rate — bytes to the client at the beginning of the scan or near the very end. 

The SG appliance begins serving server content without waiting for the ICAP scan result. 
However, to maintain security, the full object is not delivered until the results of the 
content scan are complete (and the object is determined to not be infected). 



Note: This feature is supported for the HTTP proxy only; FTP connections are not 
supported. 



Trickling Data From the Start 

In trickle from start mode, the SG appliance buffers a small amount of the beginning of the 
response body. As the ICAP server continues to scan the response, the SG appliance 
allows one byte per second to the client. 




( Internet ) 





LEGEND: 

1 : After 5 seconds (default), trickling 
begins. 

2: The response is received from the 
ICAP server (clean), and the client 
receives the remaining bytes at the 
best connection possible. 



Figure 3-3. A client receives only the initial bytes of a transaction during the ICAP scan. 



After the ICAP server completes its scan: 



□ If the object is deemed to be clean (no response modification is required), the SG 
appliance sends the rest of the object bytes to the client at the best speed allowed by 
the connection. 



□ If the object is deemed to be malicious, the SG appliance terminates the connection 
and the remainder of the response object bytes — which in this case are the majority of 
the bytes — are not sent to the client. 



Deployment Notes 

□ This method is the more secure option because the client receives only a small amount 
of data pending the outcome of the virus scan. 
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□ One drawback is that users might become impatient, especially if they notice the 
browser display of bytes received. They might assume the connection is poor or the 
server is busy, close the client, and restart a connection. 

Trickling Data at the End 

In trickle at end mode, the SG appliance sends the response to the client at the best speed 
allowed by the connection, except for the last 16 KB of data. As the ICAP server performs 
the content scan, the SG appliance allows one byte per second to the client. 




( Internet ) 





LEGEND: 

1 : After 5 seconds (default), the 
client begins receiving bytes at the 
best connection possible. 

2: Trickling begins for the final 16K 
of data. 

3: The response is received from the 
ICAP server (clean), and the client 
receives the remaining bytes. 



Figure 3-4. A client receives most of the bytes immediately during the ICAP scan. 



After the ICAP server completes its scan, the behavior is the same as described in 
"Trickling Data From the Start" on page 52. 



Deployment Notes 

□ Blue Coat recommends this method for media content, such as flash objects. 

□ This method is more user-friendly than trickle at start. This is because users tend to be 
more patient when they notice that 99% of the object is downloaded versus 1%, and 
are less likely to perform a connection restart. However, network administrators 
might perceive this method as the less secure method, as a majority of the object is 
delivered before the results of the ICAP scan. 



General Deployment Notes 

This section provides comments about data trickling deployments. 

The Decision Between Data Trickling and Patience Pages 

Blue Coat SG appliance configuration options plus policy allow you to provide different 
ICAP feedback actions depending upon the type of traffic detected: 

□ Blue Coat defines interactive as the request involving a Web browser. Web browsers 
support data trickling and patience pages. 
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□ Non-interactive traffic originates from non-browser applications, such as automatic 
software download or update clients. Such clients are not compatible with patience 
pages; therefore, data trickling or no feedback are the only supported options. 

Based on whether the requirements of your enterprise places a higher value either on 
security or availability, the SG appliance allows you to specify the appropriate policy. 
However, you must also consider the user agents involved when determining the 
appropriate feedback method. For example, streaming clients cannot deliever patience 
pages, but they are susceptible to connection timeouts. Therefore, trickling is the 
suggested method. The following diagram provides basic guidelines for deciding which 
feedback method to implement. 




Figure 3-5. Deciding which ICAP feedback method to employ. 

Infinite Streams 

Data trickling does not solve the issue of HTTP infinite streams. These are connections 
such as webcams or flash media — traffic over an HTTP connection — that conceivably 
have no end. Because the object cannot be fully downloaded, the ICAP content scan 
cannot start; however, the connection between the SG appliance and the AV appliance 
remains, which wastes finite connection resources. Strategic policy implementation, 
however, might be able to identify infinite streams and mark them to not be anti-virus 
scanned. 

If you employ the data trickle at end method, the user experience with infinite streams 
improves because the data is always delivered at the best connection speed possible. 
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Proxy Chaining Deployments 

Proxy chaining deployments are common in enterprises, especially in core/branch office 
scenarios. Data trickling is achievable, but behavior is dependent upon how the SG 
appliances are configured. The following are common deployment scenarios. 

□ The downstream SG appliance is performing ICAP scanning, and the upstream SG 
appliance is not: Data trickling and patience pages are not affected in this scenario. 

□ The upstream SG appliance is performing ICAP scanning, and the downstream SG 
appliance is not: The only issue with this deployment is that user agent-specific policy 
cannot be applied at the core SG appliance because the branch SG appliance 
consolidates multiple client requests in one out-going request to the upstream SG 
appliance. If data trickling is employed at the upstream SG appliance and if ICAP 
scanning detects a virus, the upstream SG appliance resets the client connection. This 
also deletes the corrupted object from the downstream SG appliance cache. 

□ Both SG appliances (upstream and downtream) are scanning: Behavior is mostly 
determined by the configuration of the upstream SG appliance. 

• If the upstream SG appliance is configured to deliver patience pages, then the 
downstream SG appliance also attempts to serve patience pages, including to 
non-graphical user agents. Therefore, this method is not recommended. 

• If the upstream SG appliance employs data trickle from start, the downstream SG 
appliance is not able to send any bytes to the client for a long period of time. If a 
patience page is not configured on the downstream SG appliance, users might 
experience connection timeouts. 

• If the upstream SG appliance employs trickle at end, the downstream SG 
appliance allows for all options of patience page and data trickling. 

About ICAP Server Failover 

When creating an ICAP action, you can specify a list of ICAP servers or groups to use, in 
order of preference. If the first server or group in the list does not pass the health checks, 
the SG appliance moves down the list until it finds a server or group that is healthy and 
uses that to perform the scanning. 

The primary server resumes ICAP processing when the next health check is successful; 
the standby server or server group does not retain the primary responsibility. 

Notes 

□ Failover is configured as part of the ICAP policy definition. 

□ You cannot configure failover policy until ICAP services are configured on the SG 
appliance. 

□ To avoid errors, ICAP service names cannot be named fail_open or fail_closed (the 
CLI commands prevent these names from being created). 
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Section B: Configuring SG Appliance ICAP Communications 

This section describes how to configure the SG appliance to communicate with an ICAP 
server to perform content scanning tasks. 



Configuration Tasks 

Configuring ICAP on the SG appliance involves the following steps: 

□ Install the ICAP server. 

□ Configure the SG appliance to use ICAP and configure basic features. 

□ Specify feedback method (patience pages or data trickling). 

□ Define scanning policies, then load the policy file on the SG appliance. 



Installing the ICAP Server 

Follow the manufacturer instructions for installing the ICAP server, including any 
configuration necessary to work with the SG appliance. Based on your network 
environment, you might use the SG appliance with multiple ICAP servers or multiple 
scanning services on the same server. Configure options as needed, including the 
exception message displayed to end users in the event the requested object was modified 
or blocked. 



Creating an ICAP Service 

An ICAP service on the SG appliance is specific to the ICAP server and includes the server 
IP address or hostname, as well as the supported number of connections. If you are using 
the SG appliance with multiple ICAP servers or multiple scanning services on the same 
server, add an ICAP service for each server or scanning service. 

To create and configure an ICAP service: 

1. Select Configuration > External Services > ICAP Services. 
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2a 



2b 



ICAP Services | ICAP Patience Page 

■ Services; 




-i|> Mew 



Add list item 



Pre r Add ICAP Service 



Response 1 



Edit 



Delete 



m 



OK I I Cancel 




2. Add a new service: 

a. Click New; the Add List Item dialog appears. 

b. In the Add ICAP Service field, enter an alphanumeric name. This example uses 

Responsel. 

c. Click OK to close the dialog. The new ICAP object appears in the services list. 

3. Highlight the new ICAP service name and click Edit. The Edit ICAP Service dialog 
appears. 




4. Configure the service communication options: 



Note: The default ICAP version is 1.0 and cannot be changed. 



a. In the Service URL field, enter the ICAP server URL (AV appliance), which 
includes the URL schema, ICAP server hostname or IP address, and the ICAP 
port number. For example: 
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icap://10.x.x.x/ 

The default port number is 1344, which can be changed. For example: 
icap://l0.x.x.x:99.Youcanalso enter an HTTP URL, but you must define a 
port number. 



Note: An ICAP service pointing to a WebWasher server must use icap as the 
protocol in the URL. Blue Coat also recommends that you review your specific 
ICAP server documentation, as each vendor might require additional URL 
information. 



b. The Maximum Number of Connections field specifies the maximum possible 
connections at any given time between the SG appliance and the ICAP server. 
The range is a number from 1 to 65535. The default is 5. The number of 
recommended connections depends on the capabilities of the ICAP server. 
Refer to the vendor's product information. 

c. The Connection timeout field specifies the number of seconds the SG 
appliance waits for replies from the ICAP server. The range is 1 to 65536. The 
default timeout is 70 seconds. 

d. Select Notify administrator: Virus detected to send an e-mail to the 
administrator if the ICAP scan detects a virus. The notification is also sent to 
the Event Log and the Event Log e-mail list. 

e. Select Virus found page: Use vendor’s “virus found” page to display the default 
vendor error exception page to the client instead of the SG appliance 
exception page. This is the default behavior for SGOS upgrades from 
previous versions. This feature maintains the same appearance of previous 
versions, but also retains the inherent timestamp issues involved with cache 
hits. If this option is not selected, the exception pags originate from the SG 
appliance, and they employ the accurate timestamps for cache hits. 
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5. The following steps configure ICAP vl.O features: 

a. (Optional) Clicking Sense Settings automatically configures the ICAP service 
using the ICAP server parameters. 

b. Select the ICAP method: response modification or request modification. 

Note: An ICAP server might have separate URLs for response modification 
and request modification services. 



c. In the Preview size (bytes) field, enter a byte value and select enabled. The 
ICAP server reads the object up to the specified byte total. The ICAP server 
either continues with the transaction (that is, receives the remainder of the 
object for scanning) or opts out of the transaction. 

The default is 0 . Only response headers are sent to the ICAP server; more object 
data is only sent if requested by the ICAP server. 

d. (Optional) The Send options allow additional information to be forwarded to 
the ICAP server. Select one or more of the following: Client address. Server 
address. Authenticated user, or Authenticated groups. 

e. Click Health check to perform an immediate health check on this service. 

f. Click OK to close the dialog. 

6. Click Apply. 

Managing ICAP Health Checks 

SG appliance health check features allow you to perform tasks such as immediate 
checking, disable health checks, and override various notifications and settings. 

To manage ICAP health checks: 

1. Select Configuration > Health Checks > General. 
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Health Checks | Default Settings | Default Notifications 




2. Select an ICAP service or service group. 

3. Click Perform health check to get an immediate connection status for the AV appliance 

or service group. 

4. Click Edit to display the Edit ICAP Health Check dialog. 

5. Select the Enabled state: 

• Enabled: Marks the ICAP service or group as enabled and functioning. 

• Disabled, reporting as healthy: Marks the ICAP service as healthy, but not able to 
receive connections. One reason to select this option is to preserve current 
statistics; the disabled state is temporary. 

• Disabled, reporting as sick: Marks the ICAP service as down and not able to 
receive connections. One reason to select this is that you are taking the server 
offline for maintanance or replacement. 

6. Click Apply. 

The Health Check chapter in Volume 5: Advanced Networking provides more detailed 

information about all of the health check configuration options, including override 

features. 

Deleting an ICAP Service 

The following steps describe how to delete an ICAP service. 



Note: You cannot delete an ICAP service used in an SG appliance policy (that is, if a 
policy rule uses the ICAP service name) or that belongs to a service group. 



To delete an ICAP service: 

1. Select Configuration > External Services > ICAP. 

2. Select the service to be deleted. 

3. Click Delete; click OK to confirm. 

4. Click Apply. 
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Configuring ICAP Feedback 

This section describes how to specify what type of feedback is provided to users during an 
ICAP scan. See "Improving the User Experience" on page 51. 

To specify and configure the ICAP feedback method: 

1. Select Configuration > External Services > ICAP > ICAP Feedback. 



ICAP Services ICAP Feedback | ICAP Patience Page 





r ICAP 


Feedback for Interactive T raf f ic : 


2a 


-o 0 Do not provide feedback during ICAP scanning 


2b 


-c®* 0 Provide feedback after 5 seconds 






0 Return patience page 


2c- 


E=> 


O Trickle object data from start 






0 Trickle object data at end 



3a 

3b 

3c 



- ICAP Feedback for Non-Interactive T rafFic : 

- -o 0 Do not provide feedback during ICAP scanning 

- 0 Provide feedback after 5 J seconds 

O Trickle object data from start 

£> 

0 Trickle object data at end 



2. Configure options for interactive traffic (browser-based requests): 

a. The Do not provide feedback... option means that if users experience delays in 
receiving content, they are not notified as to the reason (ICAP scanning). 
Selecting this option greys out the other options. 

b. The default duration to wait before notifiying a client that an ICAP scan is 
occuring is five seconds. You can change this value in the Provide feedback 
after field, but if you make the value too long, users might become impatient 
and manually close the client, believing the connection is hung. 

c. Select the feedback method: 



• Return patience pages: The client displays a Web page to the user providing a 
description of the delay (ICAP scanning). This page is customizable, as 
described in the next section. 

• Trickle object data from start: The client receives 1 byte per second, which 
should prevent connection timeouts while the ICAP server performs the scan. 
If the response from the ICAP server is clean, the client receives the rest of the 
object data at the best connection speed possible. If the scan detects malicious 
content, the connection is dropped. This is the more secure method. 
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• Trickle object data at end: The client receives most (99%) of the object data, but 
the final bytes are sent at the rate of one per second while the ICAP scanner 
performs the scan. If the response from the ICAP server is clean, the client 
receives the rest of the object data at the best connection speed possible. If the 
scan detects malicious content, the connection is dropped. This is the least 
secure method, as most of the data has already been delivered to the client. 
However, this method provides the best user experience because there most 
of the object is already delivered. 

3. Configure options for non-interactive traffic (content such as flash animation over 
HTTP): 

a. The Do not provide feedback... option means that if users experience delays in 
receiving content, they are not notified as to the reason (ICAP scanning). 
Selecting this option greys out the other options. 

b. The default duration to wait before notifiying a client that an ICAP scan is 
occuring is five seconds. You can change this value in the Provide feedback 
after field, but if you make the value too long, users might become impatient 
and manually close the client, believing the connection is hung. 

c. Select the feedback method: 

• Trickle object data from start: See the descriptions in Step 2. 

• Trickle object data at end: See the descriptions in Step 2. 

4. Click Apply. 

These configurations are global. You can define further feedback policy that applies to 
specific user and conditional subsets. In the VPM, the object is located in the Web Access 
Layer: Return ICAP Feedback. 

Customizing ICAP Patience Text 

This section describes how to customize text displayed during ICAP scanning. Patience 
pages are displayed if the appropriate option is selected, as described in the previous 
section: "Improving the User Experience" on page 51. 

HTTP Patience Text 

The SG appliance allows you to customize the patience page components and text that are 
displayed to users when HTTP clients experience delays as Web content is scanned. 

To customize HTTP patience pages: 

1. Select Configuration > External Services > ICAP > ICAP Patience Page. 
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ICAP Services ICAP Patience Page 





r HTTP Patience Page Customization: 
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| Customize the patience summary 
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| Customize the patience details 
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Help 
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- FTP Patience Page Customization: 

| 5 Ummar y ] Customize the FTP patience text 



2. In the HTTP Patience Page Customization section, click Header, Summary, Details, or 
Help. The corresponding customize dialog appears. Customize the information as 
appropriate. 



- Custom Patience Header: 

<title>Please be patient</title> 

<met-a ht-tp-equiv= " content -type " content 2 "text/html ; charset=IS 
0 8859 - 1 " > 



a. Custom Patience Header — Contains HTML tags that define what appears in 
the dialog title bar. This component also contains the <meta http-equiv> 
tag, which is used to specify a non-English character set. 



- Custom Patience Summary Message: 

Your content request is experiencing a slight delay while it 
is scanned for malicious content or viruses. If the content 
is determined clean, you will receive the request. Pleae be 
patient . 



b. Custom Patience Summary Message — HTML and text that informs users that 
a content scan is occurring. 
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- Custom Patience Details Message: 

<td valign="top" widt-h="30$ ">URL: </td> a 

<td valign="top" >$ (url) </td> 

</tr> 

<tr> 

<t-d valign="top" widt.h=" 30% " progress: </td> 

<td valign="top">$ (patience_pro| A Vess ) </td> 

</tr> 

<tr> 

<td valign="top" width="30* ">Time elapsed: </td> 

<td valign="t:op">$ (patience_t-ime) </td> v 



c. Custom Patience Details Message — Uses data to indicate scanning progress. 
The information includes the URL currently being scanned, the number of 
bytes processed, and the elapsed time of the scan. 



- Custom Patience Help Message: 

If your browser does not support automatic refresh, 
click the following link to download the scanned object. 

<a href="$ (patience_url ) ">Continue</a> 

<p><strong>Note: </strong> i^osing this window terminates the 
download. </p> 



d. Custom Patience Help Message — Displays instructions for users should they 
experience a problem with the patience page. 

3. Click Apply. 

All of these components are displayed on the patience page. 

Windows XP, Service Pack 2 Behavior 

Microsoft is continually updating Windows XP security measures, which impacts how the 

SG appliance manages patience pages. 

□ Browsers running on Windows XP, Service Pack 2 (XP SP2), experience slightly 
different patience page behavior when pop-up blocking is enabled. 

• If pop-up blocking is not enabled, patience page behavior should be normal. 

• If pop-up blocking is enabled (the default), the SG appliance attempts to display 
the patience page in the root window. 

• If the download triggers an invisible Javascript window, the user can track the 
scanning progress with the progress bar at the bottom of the window; however, if 
other policy blocks Javascript active content, this bar is also not visible. 

□ If Internet Explorer blocks all downloads initiated by Javascript, the user must click 
the yellow alert bar to download the scanned object. 

□ Users experience two patience page responses for non-cacheable objects. 
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Interactivity Notes 

□ When ICAP scanning is enabled and a patience page is triggered, a unique URL is 
dynamically generated and sent to the browser to access the patience page. This 
unique URL might contain a modified version of the original URL. This is expected 
behavior. 

□ Patience pages and exceptions can only be triggered by left-clicking a link. If a user 
right-clicks a link and attempts to save it, it is not possible to display patience pages. If 
this action causes a problem, the user might see browser-specific errors (for example, 
an Internet site not found error); however, ICAP policy is still in effect. 

□ A patience page is not displayed if a client object request results in an HTTP 302 
response and the SG appliance pipelines the object in the Location header. After the 
SG appliance receives the client request for the object, the client enters a waiting state 
because a server-side retrieval of the object is already in progress. The wait status of 
the client request prevents the patience page from displaying. To prevent the SG 
appliance from pipelining these requests (which decreases performance) and to retain 
the ability to provide a patience page, configure HTTP as follows: 

#SGOS (config) http no pipeline client redirects 

□ The status bar update does not work if it is disabled or if the Javascript does not have 
sufficient rights to update it. 

□ Looping: Certain conditions cause browsers to re-spawn patience pages. For example, 
a site states it will begin a download in 10 seconds, initiates a pop-up download 
window, and returns to the root window. If the download window allows pop-ups, 
the patience page displays in a separate window. The automatic return to the root 
window initiates the download sequence again, spawning another patience page. If 
unnoticed, this loop could cause a system hang. The same behavior occurs if the user 
clicks the back button to return to the root window. For known and used download 
sites, you can create policy that redirects the page so that it doesn't return to the root 
window after a download starts. 

FTP Patience Text 

For content over FTP, the patience text displayed to FTP clients during an ICAP scan can 

be modified. 

To customize FTP patience text: 

1. Select Configuration > External Services > ICAP > ICAP Patience Page. 
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ICAP Services 


ICAP Patience Page 




r HTTP Patience Page Customization: 




Header 


I Customize the patience HTML header 




1 Summary 


Customize the patience summary 




Details 


Customize the patience details 




Help 


| Customize the patience help 




r FTP Patience Page Customization: 


2 


-t> [ Summary 


Customize the FTP patience text 







2. In the FTP Patience Page Customization field, click Summary; the Customize FTP 
Patience Text dialog appears. Customize the FTP client patience text as appropriate. 



3. Click OK. 

4. Click Apply. 



Related CLI Syntax to Manage ICAP Communications 

□ To enter configuration mode: 

SGOS# (config) external-services 



The following subcommands are available: 

SGOS# (config external - services ) create icap service_name 

SGOS# (config external - services ) edit service_name 

SGOS# (config icap service_name) url icap : / / url 

SGOS# (config icap service_name) max-conn number 

SGOS# (config icap service_name ) timeout timeout_seconds 

SGOS# (config icap service_name ) notify virus-detected 

SGOS# (config icap service_name ) methods {REQMOD | RESPMOD} 

SSGOS# (config icap service_name ) preview-size bytes 

SGOS# (config icap service_name) send {client-address | server- 
address } 

SGOS# (config icap service_name) send { authenticated-user | 
authenticated-groups } 

SGOS# (config icap services service_name) sense- settings 
SGOS# (config icap services service_name) patience-page seconds 
SGOS# (config external -service) delete service_name 

SGOS# (config external - services ) inline http icap-patience {details 
header | help | javascript | summary} eof 

SGOS# (config external - services ) inline ftp icap-patience-text eof 

SGOS# (config external - services ) icap feedback interactive patience- 

page {seconds) 

SGOS# (config external - services ) icap feedback {interactive | non- 
interactive} {trickle-start | trickle-end | none }{ seconds) 
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Section C: Creating ICAP Policy 

Defined ICAP policy dictates the anti-virus and ICAP server failover behavior for your 
enterprise. You can either use the Visual Policy Manager (VPM) or you can manually edit 
policy files. For more information on the VPM and defining policies, refer to Volume 6: 
VPM and Advanced Policy. 

Use the request . icap_service ( ) (request modification) or response . icap_service ( ) 
(response modification) properties to manage the SG appliance ICAP services. 

VPM Objects 

The VPM contains the following objects specific to AV scanning (linked to their 
descriptions in the VPM chapter). 

Table 3-2. AV Scanning Objects 



Object 


Layer>Column 


Virus Detected 


Web Access>Service 


ICAP Error Code 


Web Access>Service 


Return ICAP Feedback 


Web Access>Action 


Set ICAP Request Service 


Web Access>Action 


Set ICAP Request Service 


Web Content>Action 


Set ICAP Response Service 


Web Content>Action 



Note: For CPL policy, refer to Volume 10: Blue Coat SG Appliance Content Policy Language 
Guide. 



Example ICAP Scanning Policy 

The following VPM example demonstrates the implementation of an ICAP policy that 

performs virus scanning on both client uploads (to prevent propagating a virus) and 

responses (to prevent the introduction of viruses), and provides failover with backup 

ICAP services. 

For this example: 

□ The SG appliance has configured ICAP services. The response service is avresponsel 
and the request service is avrequestl . 

□ Two backup response services are configured: avreponse2 and avresponse3. 

□ The Blue Coat AV is the virus scanner and it is configured to serve password- 
protected files. 

□ A group named IT is configured on the SG appliance. 

□ The IT group wants the ability to download password protected files, but deny 
everyone else from doing the same. 
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To perform virus scanning, protecting both the server side and the client side: 

1. In the VPM, select Policy > Web Access Layer. Name the layer RequestAV. 

2. Right-click the Action column; select Set. The Set Action Object dialog appears. 

3. Click New. 

4. Select Set ICAP Request Service; the Add ICAP Request Service Object dialog 
displays. 




5. Configure the request service object: 

a. Select Use ICAP request service. 

b. Select the avrequestl and click Add (this moves the service name to the field 
on the right). 

c. Accept the default: Deny the client request. This prevents a client from 
propagating a threat. If a virus is found, the content is not uploaded. For 
example, a user attempts to post a document that has a virus and is denied. 

d. Click OK; click OK again to add the object to the rule. 
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Figure 3-6. Request 

6. In the VPM, select Policy > Web Content Rule. Name the rule ResponseAV. 

7. Right-click the Action column; select Set. The Set Action Object dialog appears. 

8. Click New. 

9. Select Set ICAP Response Service; the Add ICAP Response Service Object dialog 
appears. 




10. Configure the response service object: 

a. Select Use ICAP response service. 

b. Select avresponsel and click Add. 

c. Repeat Step b for to add the additional (failover) services. 

d. Select Deny the client request. This scans the responses for viruses before the 
object is delivered to the client. If a virus is found, the content is not served. 

e. Click OK; click OK again to add the object to the rule. 
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To log a detected virus: 

1. In the VPM, select Policy > Web Access Layer. Name the layer AVErrors. 

2. Right-click the Service column; select Set. The Set Service Object dialog appears. 

a. Select Virus Detected (static object). 

b. Click OK to add the object to the rule. 

3. Right-click the Action column. Select Delete. 

4. Right-click the Track column. Select Set; the Set Track Object dialog appears. 

a. Click New; select Event Log. The Event Log dialog appears. 

b. In the Name field, enter VirusLogl . 

c. From the scroll-list, select icap_virus_details, localtime, and client- 
address. Click Insert. 

d. Click OK; click OK again to add the object to the rule. 




Figure 3-7. The AVErrors rule 

To create an exception for IT group: 

1. In VPM, select Policy > Add Web Access Layer. Name the rule AVExceptions. 

2. Add the IT group object to the Source column. 

3. Right-click the Service column; select Set. The Set Service Object dialog appears. 

4. Click New; select ICAP Error Code. The Add ICAP Error Code Object appears. 
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5. Add the error code: 

a. Select Selected Errors. 

b. From the list of errors, select Password Protected Archive; click Add. 

c. Name the object password_protected. 

d. Click OK; click OK again to add the object to the rule. 

6. Right-click the Action column and select Allow. 

7. Click Add Rule. 

8. In the Service column, add the password_protected object. 

9. Right-click the Action column; select Deny. 





RequestAV ResponseAV AVErrors AVExceptions 


No. Source Destination Service Time Action Track 


Comment 






1 


gJJ cn=IT... 


Any 


password .protected 


Any 


Q Allow 


None 






2 


Any 


Any 


2k password_protected 


Any 


^ Deny 


None 





After this policy is installed: 

□ Virus scanning is performed for client attempts to upload content and content 
responses to client requests. 

□ If a virus is detected and there were no scanning process errors, a log entry occurs. 
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□ As the Blue Coat AV is configured to serve password-protected objects, only the IT 
group can download such files; everyone else is denied. 

Exempting HTTP Live Streams From Response Modification 

The following CPL examples demonstrate how to exempt HTTP live streams from 
response modification, as they are not supported by ICAP The CPL designates user 
agents that are bypassed. 

<proxy> 

url . scheme=http request . header . User-Agent= "RealPlayer G2" 
response . icap_service (no) 
url . scheme=http request . header . User-Agent= " (RMA) " 
response . icap_service (no) 

url . scheme=http request . header . User-Agent= " (Winamp) " 
response . icap_service (no) 

url . scheme=http request . header . User-Agent= " (NSPlayer) " 
response . icap_service (no) 

url . scheme=http request . header . User-Agent= " (Windows-Media-Player) " 
response . icap_service (no) 

url . scheme =http request . header . User -Agent = "QuickTime" 
response . icap_service (no) 

url . scheme=http request . header . User-Agent= " (RealMedia Player) " 
response . icap_service (no) 

Streaming Media Request Modification Note 

Some HTTP progressive download streaming media transactions are complex enough to 
disrupt ICAP request modification services. If such behavior is noticed (most common 
with RealPlayer), implement a workaround policy to bypass the ICAP request 
modification service for HTTP progressive downloads: 

For example: 

<proxy> 

url . scheme=http request_header . User-Agent= " (RealMedia Player) " 
request . icap_service (no) 
url . scheme=http request_header . User-Agent= "RMA" 
request . icap_service (no) 

CPL Notes 

□ If policy specifies that an ICAP service is to be used, but the service is not available, 
the default behavior is to fail closed — that is, deny the request or response. The 
following CPL allows the serving of objects without ICAP processing if the server is 
down. 

request . icap_service (service_name , fail_open) 
response. icap_service ( service_name , fail_open) 

When the ICAP service is restored, these objects are scanned and served from the 
cache if they are requested again. 



Note: Blue Coat recommends this CPL to be used for internal sites; use with caution. 
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□ To provide an exception to a general rule, the following CPL negates ICAP 
processing: 

request . icap_service (no) 
response . icap_service (no) 
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Section D: Managing Virus Scanning 

You might need to perform additional SG appliance maintenance concerning virus 
scanning, particularly for updates to the virus definition on the ICAP virus scanning 
server. 

Advanced Configurations 

This section summarizes more-advanced configurations between the SG appliance and 
multiple ICAP servers. These brief examples provide objectives and suggest ways of 
supporting the configuration. 

Using Object-Specific Scan Levels 

You can specify different scanning levels for different types of objects, or for objects from 
different sources. 

This requires a service group of ICAP servers, with each server configured to provide the 
same level of scanning. For more information, refer to Chapter 4: "Configuring Service 
Groups" on page 77. 

Improving Virus Scanning Performance 

You can overcome request-handling limitations of ICAP servers. Generally, SG appliances 
can handle many times the volume of simultaneous user requests that ICAP servers can 
handle. 

This requires multiple ICAP servers to obtain a reasonable performance gain. On the SG 
appliance, define policy rules that partition requests among the servers. If you are going 
to direct requests to individual servers based on rules, configure in rule conditions that 
only use the URL. Note that you can increase the scale by using a service group, rather 
than use rules to partition requests among servers. For more information on using 
multiple ICAP servers, refer to Chapter 4: "Configuring Service Groups" on page 77. For 
more information about defining policies, refer to the Managing Policy Files chapter in 
Volume 6: VPM and Advanced Policy, as well as Volume 11: Blue Coat SG Appliance Command 
Line Reference. 

When the virus definitions are updated, the SG appliance stores a signature. This 
signature consists of the server name plus a virus definition version. If either of these 
changes, the SG appliance checks to see if the object is up to date, and then rescans it. If 
two requests for the same object are directed to different servers, then the scanning 
signature changes and the object is rescanned. 

Updating the ICAP Server 

If there is a problem with the integration between the SG appliance and a supported ICAP 
server after a version update of the server, you might need to configure the preview size 
the appliance uses. For information, see "Creating an ICAP Service" on page 56. 
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Replacing the ICAP Server 

If you replace an ICAP server with another supported ICAP server, reconfigure the ICAP 
service on the SG appliance: 

SGOS# (config) external-services 

SGOS# (config external -service) edit service_name 
SGOS# (config service_name ) url url 

For information about these commands, see "Creating an ICAP Service" on page 56. 

Access Logging 

The SG appliance provides access log support for Symantec and Finjan ICAP 1.0 server 
actions (Management > Access Logging). The following sections describe access logging 
behavior for the various supported ICAP servers. 

Symantec AntiVirus Scan Engine 4.0 

When this Symantec server performs a scan, identifies a problem (for example, a virus), 
and performs a content transformation, the action is logged. For example: 

"virus-id: Typ e=number; Resolution= [0 | 1 | 2] ; Threat =name;" 



where: 



TyP e=number 


Specifies the numeric code for the virus. 


Resolution= 


Specifies an integer value that indicates what action was taken to fix 
the file. Zero (o) defines the file is unrepairable, one (l) specifies that 
the file was repaired, and two ( 2 ) specifies that the file was deleted. 


Threat= 


Specifies the name of the virus. 



Finjan SurfinGate 7.0 

When this Finjan ICAP server performs a scan, identifies a problem (for example, a virus), 
and performs a content transformation, the action is logged. For example: 

"virus-id: name, response-info: Blocked, response-desc : virus_name was 
detected" 

Finjan ICAP servers also log occurrences malicious mobile code. 



Note: The access log string cannot exceed 256 characters. If the header name or value 
extends the length over the limit, then that string does not get logged. For example, if the 
x-virus- id header value is 260 characters, the access log displays "x-virus-id: " with 
no value because the value is too long to display. Also, if the access log string is already 
250 characters and the SG appliance attempts to append a "Malicious-Mobile-Type : " 
string, the string is not appended 



Access log entries might vary depending upon the type of ICAP scan performed and the 
custom log formats. For information about Access Logging, refer to Volume 8: Access 
Logging. 
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This chapter describes how to create and manage ICAP or Websense service groups. In 
high-traffic network environments, a service group accelerates response time by a 
performing a higher volume of scanning. 

About Weighted Load Balancing 

The SG appliance supports weighted load balancing in forwarding requests to service 
groups. By default, the SG appliance performs typical round-robin load balancing and 
evenly forwards requests sequentially to servers as defined within the service group. 
Manually assigning weights takes advantage of round-robin load balancing in service 
groups that are not homogeneous, or where the servers have different capacities. 

Weighting determines what proportion of the load one server bears relative to the 
others. If all servers have either the default weight (1) or the same weight, each share an 
equal proportion of the load. If one server has weight 25 and all other servers have 
weight 50, the 25-weight server processes half as much as any other server. 

Before configuring weights, consider the relative weights to assign to each server. 
Factors that could affect assigned weight of a ICAP server include the following: 

□ The processing capacity of the server hardware in relationship to other servers (for 
example, the number and performance of CPUs or the number of network interface 
cards) 

□ The maximum number of connections configured for the service. The maximum 
connections setting pertains to how many simultaneous scans can be performed on 
the server, while weighting applies to throughput in the integration. While these 
settings are not directly related, consider both when configuring weighted load 
balancing. 



Note: External services (ICAP, Websense off-box) have a reserved connection for 
health checks (if you created health check services). This means that as the load goes 
up and the number of connections to the external service reaches the maximum, with 
additional requests being queued up and waiting, the maximum simultaneous 
connections is actually one less than the limit. 



The following diagram provides an example of how weighting works with a service 
group of three Blue Coat AV ICAP servers. 
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AV veodor servers: 
virus pattern updates 



Users 



Router 





A 



B 



C 



Admin PC 



AV appliances 



Legend 



A: BC_AV1, an AV appliance with 10 maximum connections and a specified weight of 1 . 

B: BC_AV2, an AV appliance with 10 maximum connections and a specified weight of 1 , 

C: BC_AV3 an AV appliance with 25 maximum connections and a specified weight of 3. 

D: An SG appliance with a Service Group named AV_Response that contains BC_AV1, BC_AV2. and BC_AV3. 



1. With load balancing, the SG appliance sends 100 response modification requests to the three AV appliances 
(by way of the AV Reponse Service Group). 

2. BC_AV1 receives 20 requests 

3. BC_AV2 receives 20 requests. 

4. BC_AV3 receives 60 requests. 



Figure 4-1 . Service Group Process Flow 

Note: Setting the weight value to 0 (zero) disables weighted load balancing for the ICAP 
service. Therefore, if one ICAP server of a two-server group has a weight value of 1 and 
the second a weight value of 0 , should the first server go down, a communication error 
results because the second server cannot process the request. 



While you cannot specifically designate an ICAP server in a group as a backup, you can 
specify weight values that create a large differential between a server that is used 
continuously and one that is rarely used, thus simulating a backup server. 



Create the service group and add the relevant ICAP or Websense services to the group. 
Services within group must be the same type (ICAP or Websense). 

To configure a service group: 

1. Select Configuration > External Services > Service-Groups. 



Process Flow 



Creating a Service Group 
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Service-Groups 




Service-Groups: 



Service-Group 



2b 



2a 



New 



-o 



T 



2. Add a new group: 

a. Click New; the Add List Item dialog appears. 

b. In the Add Service Group field, enter an alphanumeric name. This example 
creates a group called ICAP_Response. 

c. Click OK. 

3. Highlight the new service group name and click Edit; the Edit Service Group dialog 
appears. 
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Available service-group entries 
® List ICAP services A Request2 a 

0 List Websense services 



Response 1 
Response2 
Response3 
Response4 



4c 



OK 

T 



Cancel 



4a 



New 



4. Select existing services: 

a. Click New; the Add Service Group Entry dialog appears. 

b. If this SG appliance contains many configured ICAP or Websense (off -box) 
services, you can narrow the viewable list by selecting List ICAP services or 
List Websense services. 

c. From the list of existing services, select the ones to add to this group. Hold the 
Control or Shift key to select multiple services. 

d. Click OK to add the selected services to group. 
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5. Assign weights to services: 

a. Select a service and click Edit; the Edit Service Group Entry weight dialog 
appears. 

b. In the Entry Weight field, assign a weight value. The valid range is 0-255. For 
conceptual information about service weighting, see "About Weighted Load 
Balancing" on page 77. 

c. Repeat steps a and b for other services, as required. 

d. Click OK to close the dialog. 

e. Click OK again to close the Edit Service Group Entry dialog 

6. Click Apply. 

Result: When instructed by created policies, the SG appliance sends ICAP response 
modification requests to ICAP servers in the service group. The load carried by each 
service in the group is determined by the weight values. 



Deleting a Service Group or Group Entry 

You can delete the configuration for an entire service group from the SG appliance, or you 
can delete individual entries from a service group. 



Note: A service or service group used in a SG appliance policy (that is, if a policy rule 
uses the entry) cannot be deleted; it must first be removed from the policy. 
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To delete a service group: 

1. Select Configuration > External Services > Service-Groups. 

2. Select the service group to be deleted. 

3. Click Delete; click OK to confirm. 

4. Click Apply. 

To delete a service group entry: 

1. Select Configuration > External Services > Service-Groups. 

2. Select the service group to be modified. 

3. Click Edit. 

4. Select the service entry to be deleted; click Delete. 

5. Click OK. 

6. Click Apply. 



Displaying External Service and Group Information 

After configuring a service group, you can display aggregate service group (and other 
External Services) information. 



To display information about all external services and groups: 

At the (conf ig) command prompt, enter the following commands: 

SGOS# (config) external-services 

SGOS# (config external - services ) view 



Individual service information is displayed first, followed by service group information. 
For example: 



; External Services 
icap4 

ICAP-Version : 

URL: 

Max- conn: 

Timeout (secs) : 
Health-checks : 
Patience-page (secs) 
Notification: 
Methods : 

Preview- size : 

Send : 

ISTag : 



1 . 0 



icap : //10 . 1 . 1 . 1 
5 

70 



no 

: disabled 
never 
RESPMOD 
0 

nothing 



websense4 
Version : 
Host : 



4.4 

www. websense . com/list 



Port: 15868 

Max- conn: 5 

Timeout (secs) : 70 

Send: nothing 

Fail -by-default : closed 

Apply-by-def ault : no 



Serve-exception-page :yes 
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; External Service-Groups 
Co rp I CAP 

total weight 5 
entries : 

ICAP1 
weight 4 
ICAP2 
weight 1 

BranchWebsense 
total weight 2 
entries : 

Websensel 
weight 1 

Websense2 
weight 1 

Related CLI Syntax to Manage External Services 

□ To enter configuration mode: 

SGOS# (config) external-services 

□ The following commands are available: 

SGOS# (config external - services ) create service-group name 

SGOS# (config service-group name) add service_name 

SGOS# (config service-group name) edit service_name 

SGOS# (config service-group name) weight value 

SGOS# (config external - services ) delete service_group_name 

SGOS# (config type name ) remove ent ry_name 

SGOS# (config external - services ) view 

SGOS# (config type name) view 
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A 



access control list 


Allows or denies specific IP addresses access to a server. 


access log 


A list of all the requests sent to an appliance. You can read an access log using any of 
the popular log-reporting programs. When a client uses HTTP streaming, the 
streaming entry goes to the same access log. 


account 


A named entity that has purchased the appliance or the Entitlements from Blue Coat. 


activation code 


A string of approximately 10 characters that is generated and mailed to customers 
when they purchase the appliance. 


active content stripping 


Provides a way to identify potentially dangerous mobile or active content and 
scripts, and strip them out of a response. 


active content types 


Used in the Visual Policy Manager. Referring to Web Access policies, you can create 
and name lists of active content types to be stripped from Web pages. You have the 
additional option of specifying a customized message to be displayed to the user 


administration access policy 


A policy layer that determines who can access the SG appliance to perform 
administrative tasks. 


administration 
authentication policy 


A policy layer that determines how administrators accessing the SG appliance must 
authenticate. 


Application Delivery 
Network (ADN) 


A WAN that has been optimized for acceleration and compression by Blue Coat. This 
network can also be secured through the use of appliance certificates. An ADN 
network is composed of an ADN manager and backup ADN manager, ADN nodes, 
and a network configuration that matches the environment. 


ADN backup manager 


Takes over for the ADN manager in the event it becomes unavailable. See ADN 
manager. 


ADN manager 


Responsible for publishing the routing table to SG Clients (and to other SG 
appliances). 


ADN optimize attribute 


Controls whether to optimize bandwidth usage when connecting upstream using an 
ADN tunnel. 


asx rewrite 


Allows you to rewrite URLs and then direct a client's subsequent request to the new 
URL. One of the main applications of ASX file rewrites is to provide explicit proxy- 
like support for Windows Media Player 6.4, which cannot set explicit proxy mode for 
protocols other than HTTP. 


audit 


A log that provides a record of who accessed what and how. 
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authenticate-401 attribute 


All transparent and explicit requests received on the port always use transparent 
authentication (cookie or IP, depending on the configuration). This is especially 
useful to force transparent proxy authentication in some proxy-chaining scenarios 


authenticated content 


Cached content that requires authentication at the origin content server (OCS). 
Supported authentication types for cached data include basic authentication and 
IWA (or NTLM). 


authentication 


Allows you to verify the identity of a user. In its simplest form, this is done through 
usernames and passwords. Much more stringent authentication can be employed 
using digital certificates that have been issued and verified by a Certificate 
Authority. See also basic authentication, proxy authentication, and SSL 
authentication. 


authentication realm 


Authenticates and authorizes users to access SG services using either explicit proxy 
or transparent proxy mode. These realms integrate third-party vendors, such as 
LDAP, Windows, and Novell, with the Blue Coat operating system. 


authorization 


The permissions given to an authenticated user. 



B 



bandwidth class 


A defined unit of bandwidth allocation. 


bandwidth class hierarchy 


Bandwidth classes can be grouped together in a class hierarchy, which is a tree 
structure that specifies the relationship among different classes. You create a 
hierarchy by creating at least one parent class and assigning other classes to be its 
children. 


bandwidth management 


Classify, control, and, if needed, limit the amount of bandwidth used by network 
traffic flowing in or out of an SG appliance. 


basic authentication 


The standard authentication for communicating with the target as identified in the 
URL. 


BCAAA 


Blue Coat Authentication and Authorization Agent. Allows SGOS 5.x to manage 
authentication and authorization for IWA, CA eTrust SiteMinder realms, Oracle 
COREid, Novell, and Windows realms. The agent is installed and configured 
separately from SGOS 5.x and is available from the Blue Coat Web site. 


BCLP 


Blue Coat Licensing Portal. 


byte-range support 


The ability of the SG appliance to respond to byte-range requests (requests with a 
Range : HTTP header). 



C 



cache 


An "object store," either hardware or software, that stores information (objects) for 
later retrieval. The first time the object is requested, it is stored, making subsequent 
requests for the same information much faster. 

A cache helps reduce the response time and network bandwidth consumption on 
future, equivalent requests. The SG appliance serves as a cache by storing content 
from many users to minimize response time and prevent extraneous network traffic. 
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cache control 


Allows you to configure which content the SG appliance stores. 


cache efficiency 


A tab found on the Statistics pages of the Management Console that shows the 
percent of objects served from cache, the percent loaded from the network, and the 
percent that were non-cacheable. 


cache hit 


Occurs when the SG appliance receives a request for an object and can serve the 
request from the cache without a trip to the origin server. 


cache miss 


Occurs when the appliance receives a request for an object that is not in the cache. 
The appliance must then fetch the requested object from the origin server. . 


cache object 


Cache contents includes all objects currently stored by the SG appliance. Cache 
objects are not cleared when the SG appliance is powered off. 


Certificate Authority (CA) 


A trusted, third-party organization or company that issues digital certificates used to 
create digital signatures and public key /private key pairs. The role of the CA is to 
guarantee that the individuals or company representatives who are granted a unique 
certificate are who they claim to be. 


child class (bandwidth gain) 


The child of a parent class is dependent upon that parent class for available 
bandwidth (they share the bandwidth in proportion to their minimum /maximum 
bandwidth values and priority levels). A child class with siblings (classes with the 
same parent class) shares bandwidth with those siblings in the same manner. 


client consent certificates 


A certificate that indicates acceptance or denial of consent to decrypt an end user's 
HTTPS request. 


client-side transparency 


A way of replacing the appliance IP address with the Web server IP address for all 
port 80 traffic destined to go to the client. This effectively conceals the SG appliance 
address from the client and conceals the identity of the client from the Web server. 


concentrator 


An SG appliance, usually located in a data center, that provides access to data center 
resources, such as file servers. 


content filtering 


A way of controlling which content is delivered to certain users. SG appliances can 
filter content based on content categories (such as gambling, games, and so on), type 
(such as http, ftp, streaming, and mime type), identity (user, group, network), or 
network conditions. You can filter content using vendor-based filtering or by 
allowing or denying access to URLs. 



D 



default boot system 


The system that was successfully started last time. If a system fails to boot, the next 
most recent system that booted successfully becomes the default boot system. 


default proxy listener 


See proxy service (d efault). 
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denial of service (DoS) 


A method that hackers use to prevent or deny legitimate users access to a computer, 
such as a Web server. DoS attacks typically send many request packets to a targeted 
Internet server, flooding the server’s resources and making the system unusable. Any 
system connected to the Internet and equipped with TCP-based network services is 
vulnerable to a DoS attack. 

The SG appliance resists DoS attacks launched by many common DoS tools. With a 
hardened TCP/IP stack, SG appliance resists common network attacks, including 
traffic flooding. 


destination objects 


Used in Visual Policy Manager. These are the objects that define the target location of 
an entry type. 


detect protocol attribute 


Detects the protocol being used. Protocols that can be detected include: HTTP, P2P 
(eDonkey, BitTorrent, FastTrack, Gnutella), SSL, and Endpoint Mapper. 


diagnostic reporting 


Found in the Statistics pane, the Diagnostics tab allows you to control whether Daily 
Heartbeats and/ or Blue Coat Monitoring are enabled or disabled. 


directives 


Commands used in installable lists to configure forwarding and SOCKS gateway. 


DNS access 


A policy layer that determines how the SG appliance processes DNS requests. 


domain name system (DNS) 


An Internet service that translates domain names into IP addresses. See also private 
DNS or public DNS. 


dynamic bypass 


Provides a maintenance-free method for improving performance of the SG appliance 
by automatically compiling a list of requested URLs that return various kinds of 
errors. 


dynamic real-time rating 
(DRTR) 


Used in conjunction with the Blue Coat Web Filter (BCWF), DRTR (also known as 
dynamic categorization) provides real-time analysis and content categorization of 
requested Web pages to solve the problem of new and previously unknown 
uncategorized URLs — those not in the database. When a user requests a URL that has 
not already been categorized by the BCWF database (for example, a brand new Web 
site), the SG appliance dynamic categorization service analyzes elements of the 
requested content and assigns a category or categories. The dynamic service is 
consulted only when the installed BCWF database does not contain category 
information for an object. 



E 



early intercept attribute 


Controls whether the proxy responds to client TCP connection requests before 
connecting to the upstream server. When early intercept is disabled, the proxy delays 
responding to the client until after it has attempted to contact the server. 


ELFF-compatible format 


A log type defined by the W3C that is general enough to be used with any protocol. 


emulated certificates 


Certificates that are presented to the user by SG appliance when intercepting HTTPS 
requests. Blue Coat emulates the certificate from the server and signs it, copying the 
subjectName and expiration. The original certificate is used between the SG 
appliance and the server. 


encrypted log 


A log is encrypted using an external certificate associated with a private key. 
Encrypted logs can only be decrypted by someone with access to the private key. The 
private key is not accessible to the SG appliance. 
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EULA 


End user license agreement. 


event logging 


Allows you to specify the types of system events logged, the size of the event log, and 
to configure Syslog monitoring. The appliance can also notify you by email if an 
event is logged. See also access logging. 


explicit proxy 


A configuration in which the browser is explicitly configured to communicate with 
the proxy server for access to content. 

This is the default for the SG appliance, and requires configuration for both browser 
and the interface card. 


extended log file format 
(ELFF) 


A variant of the common log file format, which has two additional fields at the end of 
the line — the referer and the user agent fields. 



F 



fail open/ closed 


Failing open or closed applies to forwarding hosts and groups and SOCKS gateways. 
Fail open or closed applies when health checks are showing sick for each forwarding 
or SOCKS gateway target in the applicable fail-over sequence. If no systems are 
healthy, the SG appliance fails open or closed, depending on the configuration. If 
closed, the connection attempt simply fails. 

If open, an attempt is made to connect without using any forwarding target (or 
SOCKS gateway). Fail open is usually a security risk; fail closed is the default if no 
setting is specified. 


filtering 


See content filtering. 


forward proxy 


A proxy server deployed close to the clients and used to access many servers. A 
forward proxy can be explicit or transparent. 


FTP 


See Native FTP; Web FTP. 



G 



gateway 


A device that serves as entrance and exit into a communications network. 



H 



hardware serial number 


A string that uniquely identifies the appliance; it is assigned to each unit in 
manufacturing. 
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health check tests 



health check type 



heartbeat 



host affinity 



host affinity timeout 



inbound traffic (bandwidth 
gain) 



The method of determining network connectivity, target responsiveness, and basic 
functionality. The following tests are supported: 

• ICMP 

• TCP 

• SSL 

. HTTP 

• HTTPS 

• Group 

• Composite and reference to a composite result 

• ICAP 

• Websense 

• DRTR rating service 

The kind of device or service the specific health check tests. The following types are 
supported: 

• Forwarding host and forwarding group 

• SOCKS gateway and SOCKS gateway group 

• CAP service and ICAP service group 

• Websense off -box service and Websense off-box service group 

• DRTR rating service 

• User-defined host and a user-defined composite 

Messages sent once every 24 hours that contain the statistical and configuration data 
for the SG appliance, indicating its health. Heartbeats are commonly sent to system 
administrators and to Blue Coat. Heartbeats contain no private information, only 
aggregate statistics useful for pre-emptively diagnosing support issues. 

The SG appliance sends emergency heartbeats whenever it is rebooted. Emergency 
heartbeats contain core dump and restart flags in addition to daily heartbeat 
information. 

The attempt to direct multiple connections by a single user to the same group 
member. Host affinity is closely tied to load balancing behavior; both should be 
configured if load balancing is important. 

The host affinity timeout determines how long a user remains idle before the 
connection is closed. The timeout value checks the user's IP address, SSL ID, or 
cookie in the host affinity table. 



Network packets flowing into the SG appliance. Inbound traffic mainly consists of 
the following: 

• Server inbound: Packets originating at the origin content server (OCS) and sent to 
the SG appliance to load a Web object. 

• Client inbound: Packets originating at the client and sent to the SG appliance for 
Web requests. 
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installable lists 


Installable lists, comprised of directives, can be placed onto the SG appliance in one 
of the following ways: 

• Creating the list using the SG text editor 

• Placing the list at an accessible URL 

• Downloading the directives file from the local system 


integrated host timeout 


An integrated host is an origin content server (OCS) that has been added to the health 
check list. The host, added through the integrate new hosts property, ages out 
of the integrated host table after being idle for the specified time. The default is 60 
minutes. 


intervals 


Time period from the completion of one health check to the start of the next health 
check. 


IP reflection 


Determines how the client IP address is presented to the origin server for explicitly 
proxied requests. All proxy services contain a reflect-ip attribute, which enables or 
disables sending of client's IP address instead of the SG's IP address. 


issuer keyring 


The keyring used by the SG appliance to sign emulated certificates. The keyring is 
configured on the appliance and managed through policy. 



L 



licensable component (LC) 


(Software) A subcomponent of a license; it is an option that enables or disables a 
specific feature. 


license 


Provides both the right and the ability to use certain software functions within an AV 
(or SG) appliance. The license key defines and controls the license, which is owned 
by an account. 


listener 


The service that is listening on a specific port. A listener can be identified by any 
destination IP/ subnet and port range. Multiple listeners can be added to each 
service. 


live content 


Also called live broadcast. Used in streaming, it indicates that the content is being 
delivered fresh. 


LKF 


License key file. 


load balancing 


A way to share traffic requests among multiple upstream systems or multiple IP 
addresses on a single host. 


local bypass list 


A list you create and maintain on your network. You can use a local bypass list alone 
or in conjunction with a central bypass list. See bypass list. 


local policy file 


Written by enterprises (as opposed to the central policy file written by Blue Coat); 
used to create company- and department-specific advanced policies written in the 
Blue Coat Policy Language (CPL). 


log facility 


A separate log that contains a single logical file and supports a single log format. It 
also contains the file's configuration and upload schedule information as well as 
other configurable information such as how often to rotate (switch to a new log) the 
logs at the destination, any passwords needed, and the point at which the facility can 
be uploaded. 
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log format 


The type of log that is used: NCSA/Common, SQUID, ELFF, SurfControl, or 
Websense. 

The proprietary log types each have a corresponding pre-defined log format that has 
been set up to produce exactly that type of log (these logs cannot be edited). In 
addition, a number of other ELFF type log formats are also pre-defined (im, main, 
p2p, ssl, streaming). These can be edited, but they start out with a useful set of log 
fields for logging particular protocols understood by the SG appliance. It is also 
possible to create new log formats of type ELFF or Custom which can contain any 
desired combination of log fields. 


log tail 


The access log tail shows the log entries as they get logged. With high traffic on the 
SG appliance, not all access log entries are necessarily displayed. However, you can 
view all access log information after uploading the log. 



M 



MACH5 


SGOS 5 MACH5 Edition. 


Management Console 


A graphical Web interface that lets you to manage, configure, monitor, and upgrade 
the SG appliance from any location. The Management Console consists of a set of 
Web pages and Java applets stored on the SG appliance. The appliance acts as a Web 
server on the management port to serve these pages and applets. 


management information 
base (MIB) 


Defines the statistics that management systems can collect. A managed device 
(gateway) has one or more MIBs as well as one or more SNMP agents, which 
implements the information and management functionality defined by a specific 
MIB. 


maximum object size 


The maximum object size stored in the SG appliance. All objects retrieved that are 
greater than the maximum size are delivered to the client but are not stored in the SG 
appliance. 


MIME/FILE type filtering 


Allows organizations to implement Internet policies for both uploaded and 
downloaded content by MIME or FILE type. 


multi-bit rate 


The capability of a single stream to deliver multiple bit rates to clients requesting 
content from appliances from within varying levels of network conditions (such as 
different connecting bandwidths and traffic). 


multicast 


Used in streaming; the ability for hundreds or thousands of users to play a single 
stream. 


multicast aliases 


Used in streaming; a streaming command that specifies an alias for a multicast URL 
to receive an .nsc file. The .nsc files allows the multicast session to obtain the 
information in the control channel 


multicast station 


Used in streaming; a defined location on the proxy where the Windows Media player 
can retrieve streams. A multicast station enables multicast transmission of Windows 
Media content from the cache. The source of the multicast-delivered content can be a 
unicast-live source, a multicast (live) source, and simulated live (video-on-demand 
content converted to scheduled live content). 


multimedia content services 


Used in streaming; multimedia support includes Real Networks, Microsoft Windows 
Media, Apple QuickTime, MP3, and Flash. 
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N 



name inputing 


Allows an SG appliance to resolve host names based on a partial name specification. 
When a host name is submitted to the DNS server, the DNS server resolves the name 
to an IP address. If the host name cannot be resolved. Blue Coat adds the first entry in 
the name-inputing list to the end of the host name and resubmits it to the DNS server 


native FTP 


Native FTP involves the client connecting (either explicitly or transparently) using 
the FTP protocol; the SG appliance then connects upstream through FTP (if 
necessary). 


NCSA common log format 


Blue Coat products are compatible with this log type, which contains only basic 
HTTP access information. 


network address translation 
(NAT) 


The process of translating private network (such as intranet) IP addresses to Internet 
IP addresses and vice versa. This methodology makes it possible to match private IP 
addresses to Internet IP addresses even when the number of private addresses 
outnumbers the pool of available Internet addresses. 


non-cacheable objects 


A number of objects are not cached by the Blue Coat appliance because they are 
considered non-cacheable. You can add or delete the kinds of objects that the 
appliance considers non-cacheable. Some of the non-cacheable request types are: 

• Pragma no-cache, requests that specify non-cached objects, such as when you click 
refresh in the Web browser. 

• Password provided, requests that include a client password. 

• Data in request that include additional client data. 

• Not a GET request. 


.nsc file 


Created from the multicast station definition and saved through the browser as a text 
file encoded in a Microsoft proprietary format. Without an .nsc file, the multicast 
station definition does not work. 


NTP 


To manage objects in an appliance, an SG appliance must know the current Universal 
Time Coordinates (UTC) time. By default, the SG appliance attempts to connect to a 
Network Time Protocol (NTP) server to acquire the UTC time. SG appliance includes 
a list of NTP servers available on the Internet, and attempts to connect to them in the 
order they appear in the NTP server list on the NTP tab. 



O 



object (used in caching) 


An object is the item that is stored in an appliance. These objects can be frequently 
accessed content, content that has been placed there by content publishers, or Web 
pages, among other things. 


object (used in Visual Policy 
Manager) 


An object (sometimes referred to as a condition) is any collection or combination of 
entry types you can create individually (user, group, IP address/ subnet, and 
attribute). To be included in an object, an item must already be created as an 
individual entry. 


object pipelining 


This patented algorithm opens as many simultaneous TCP connections as the origin 
server will allow and retrieves objects in parallel. The objects are then delivered from 
the appliance straight to the user's desktop as fast as the browser can request them. 
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origin content server (OCS) 


Also called origin server. This is the original source of the content that is being 
requested. An appliance needs the OCS to acquire data the first time, to check that 
the content being served is still fresh, and to authenticate users. 


outbound traffic (bandwidth 
gain) 


Network packets flowing out of the SG appliance. Outbound traffic mainly consists 
of the following: 

• Client outbound: Packets sent to the client in response to a Web request. 

• Server outbound: Packets sent to an OCS or upstream proxy to request a service. 



P 



PAC (Proxy 

AutoConfiguration) scripts 


Originally created by Netscape, PACs are a way to avoid requiring proxy hosts and 
port numbers to be entered for every protocol. You need only enter the URL. A PAC 
can be created with the needed information and the local browser can be directed to 
the PAC for information about proxy hosts and port numbers. 


packet capture (PCAP) 


Allows filtering on various attributes of the Ethernet frame to limit the amount of 
data collected. You can capture packets of Ethernet frames going into or leaving an 
SG appliance. 


parent class (bandwidth 
gain) 


A class with at least one child. The parent class must share its bandwidth with its 
child classes in proportion to the minimum /maximum bandwidth values or priority 
levels. 


passive mode data 
connections (PASV) 


Data connections initiated by an FTP client to an FTP server. 


pipelining 


See object pipelining. 


policies 


Groups of rules that let you manage Web access specific to the needs of an enterprise. 
Policies enhance SG appliance feature areas such as authentication and virus 
scanning, and let you control end-user Web access in your existing infrastructure. 

See also refresh policies. 


policy-based bypass list 


Used in policy. Allows a bypass based on the properties of the client, unlike static 
and dynamic bypass lists, which allow traffic to bypass the appliance based on 
destination IP address. See also bypass lists and dynamic bypass. 


policy layer 


A collection of rules created using Blue Coat CPL or with the VPM. 


pragma: no cache (PNC) 


A metatag in the header of a request that requires the appliance to forward a request 
to the origin server. This allows clients to always obtain a fresh copy (of the request?). 


proxy 


Caches content, filters traffic, monitors Internet and intranet resource usage, blocks 
specific Internet and intranet resources for individuals or groups, and enhances the 
quality of Internet or intranet user experiences. 

A proxy can also serve as an intermediary between a Web client and a Web server 
and can require authentication to allow identity based policy and logging for the 
client. 

The rules used to authenticate a client are based on the policies you create on the SG 
appliance, which can reference an existing security infrastructure — LDAP, RADIUS, 
IWA, and the like. 
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Proxy Edition 


SGOS 5 Proxy Edition. 


proxy service 


The proxy service defines the ports, as well as other attributes, that are used by the 
proxies associated with the service. 


proxy service (default) 


The default proxy service is a service that intercepts all traffic not otherwise 
intercepted by other listeners. It only has one listener whose action can be set to 
bypass or intercept. No new listeners can be added to the default proxy service, and 
the default listener and service cannot be deleted. Service attributes can be changed. 


public key certificate 


An electronic document that encapsulates the public key of the certificate sender, 
identifies this sender, and aids the certificate receiver to verify the identity of the 
certificate sender. A certificate is often considered valid if it has been digitally signed 
by a well-known entity, which is called a Certificate Authority (such as VeriSign). 


public virtual IP (VIP) 


Maps multiple servers to one IP address and then propagates that information to the 
public DNS servers. Typically, there is a public VIP known to the public Internet that 
routes the packets internally to the private VIP. This enables you to "hide" your 
servers from the Internet. 



real-time streaming protocol 
(RTSP) 


A standard method of transferring audio and video and other time-based media over 
Internet-technology based networks. The protocol is used to stream clips to any RTP- 
based client. 


reflect client IP attribute 


Enables the sending of the client's IP address instead of the SG's IP address to the 
upstream server. If you are using an application delivery network (ADN), this setting 
is enforced on the concentrator proxy through the Configuration > App. Delivery 
Network > Tunneling tab. 


registration 


An event that binds the appliance to an account, that is, it creates the Serial#, Account 
association. 


remote authentication dial- 
in user service (RADIUS) 


Authenticates user identity via passwords for network access. 


reverse proxy 


A proxy that acts as a front-end to a small number of pre-defined servers, typically to 
improve performance. Many clients can use it to access the small number of 
predefined servers. 


routing information protocol 
(RIP) 


Designed to select the fastest route to a destination. RIP support is built into Blue 
Coat appliances. 


router hops 


The number of jumps a packet takes when traversing the Internet. 



S 
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secure shell (SSH) 


Also known as Secure Socket Shell. SSH is an interface and protocol that provides 
strong authentication and enables you to securely access a remote computer. Three 
utilities — login, ssh, and scp — comprise SSH. Security via SSH is accomplished using 
a digital certificate and password encryption. Remember that the Blue Coat SG 
appliance requires SSH1. An SG appliance supports a combined maximum of 16 
Telnet and SSH sessions. 


serial console 


A third-party device that can be connected to one or more Blue Coat appliances. 
Once connected, you can access and configure the appliance through the serial 
console, even when you cannot access the appliance directly. 


server certificate categories 


The hostname in a server certificate can be categorized by BCWF or another content 
filtering vendor to fit into categories such as banking, finance, sports. 


server portals 


Doorways that provide controlled access to a Web server or a collection of Web 
servers. You can configure Blue Coat SG appliances to be server portals by mapping 
a set of external URLs onto a set of internal URLs. 


server-side transparency 


The ability for the server to see client IP addresses, which enables accurate client- 
access records to be kept. When server-side transparency is enabled, the appliance 
retains client IP addresses for all port 80 traffic to and from the SG appliance. In this 
scheme, the client IP address is always revealed to the server. 


service attributes 


Define the parameters, such as explicit or transparent, cipher suite, and certificate 
verification, that the SG appliance uses for a particular service. . 


SG appliance 


A Blue Coat security and cache box that can help manage security and content on a 
network. 


sibling class (bandwidth 
gain) 


A bandwidth class with the same parent class as another class. 


simple network 
management protocol 
(SNMP) 


The standard operations and maintenance protocol for the Internet. It uses MIBs, 
created or customized by Blue Coat, to handle (needs completion). 


simulated live 


Used in streaming. Defines playback of one or more video-on-demand files as a 
scheduled live event, which begins at a specified time. The content can be looped 
multiple times, or scheduled to start at multiple start times throughout the day. 


SmartReporter log type 


A proprietary ELFF log type that is compatible with the SmartFilter SmartReporter 
tool. 


SOCKS 


A proxy protocol for TCP/IP-based networking applications that allows users 
transparent access across the firewall. If you are using a SOCKS server for the 
primary or alternate forwarding gateway, you must specify the appliance's ID for the 
identification protocol used by the SOCKS gateway. The machine ID should be 
configured to be the same as the appliance's name. 


SOCKS proxy 


A generic way to proxy TCP and UDP protocols. The SG appliance supports both 
SOCKSv4/4a and SOCKSv5; however, because of increased username and password 
authentication capabilities and compression support. Blue Coat recommends that 
you use SOCKS v5. 


splash page 


Custom message page that displays the first time you start the client browser. 
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split proxy 


Employs co-operative processing at the branch and the core to implement 
functionality that is not possible in a standalone proxy. Examples of split proxies 
include: 

• Mapi Proxy 

• SSL Proxy 


SQUID-compatible format 


A log type that was designed for cache statistics and is compatible with Blue Coat 
products. 


squid-native log format 


The Squid-compatible format contains one line for each request. 


SSL authentication 


Ensures that communication is with "trusted" sites only. Requires a certificate issued 
by a trusted third party (Certificate Authority). 


SSL interception 


Decrypting SSL connections. 


SSL proxy 


A proxy that can be used for any SSL traffic (HTTPS or not), in either forward or 
reverse proxy mode. 


static route 


A manually-configured route that specifies the transmission path a packet must 
follow, based on the packet's destination address. A static route specifies a 
transmission path to another network. 


statistics 


Every Blue Coat appliance keeps statistics of the appliance hardware and the objects 
it stores. You can review the general summary, the volume, resources allocated, 
cache efficiency, cached contents, and custom URLs generated by the appliance for 
various kinds of logs. You can also check the event viewer for every event that 
occurred since the appliance booted. 


stream 


A flow of a single type of data, measured in kilobits per second (Kbps). A stream 
could be the sound track to a music video, for example. 


SurfControl log type 


A proprietary log type that is compatible with the SurfControl reporter tool. The 
SurfControl log format includes fully-qualified usernames when an NTLM realm 
provides authentication. The simple name is used for all other realm types. 


syslog 


An event-monitoring scheme that is especially popular in Unix environments. Most 
clients using Syslog have multiple devices sending messages to a single Syslog 
daemon. This allows viewing a single chronological event log of all of the devices 
assigned to the Syslog daemon. The Syslog format is: "Date Time Hostname Event." 


system cache 


The software cache on the appliance. When you clear the cache, all objects in the 
cache are set to expired. The objects are not immediately removed from memory or 
disk, but a subsequent request for any object requested is retrieved from the origin 
content server before it is served. 



T 



time-to-live (TTL) value 


Used in any situation where an expiration time is needed. For example, you do not 
want authentication to last beyond the current session and also want a failed 
command to time out instead of hanging the box forever. 



97 



Volume 7: Managing Content 



traffic flow 
(bandwidth gain) 



transmission control 
protocol (TCP) 

transparent proxy 

trial period 

U 

unicast alias 

universal time coordinates 
(UTC) 

URL filtering 
URL rewrite rules 

W 

WCCP 



Also referred to as flow. A set of packets belonging to the same TCP/UDP connection 
that terminate at, originate at, or flow through the SG appliance. A single request 
from a client involves two separate connections. One of them is from the client to the 
SG appliance, and the other is from the SG appliance to the OCS. Within each of 
these connections, traffic flows in two directions — in one direction, packets flow out 
of the SG appliance (outbound traffic), and in the other direction, packets flow into 
the SG (inbound traffic). Connections can come from the client or the server. Thus, 
traffic can be classified into one of four types: 

• Server inbound 

• Server outbound 

• Client inbound 

• Client outbound 

These four traffic flows represent each of the four combinations described above. 
Each flow represents a single direction from a single connection. 

TCP, when used in conjunction with IP (Internet Protocol) enables users to send data, 
in the form of message units called packets, between computers over the Internet. 
TCP is responsible for tracking and handling, and reassembly of the packets; IP is 
responsible for packet delivery. 

A configuration in which traffic is redirected to the SG appliance without the 
knowledge of the client browser. No configuration is required on the browser, but 
network configuration, such as an L4 switch or a WCCP-compliant router, is 
required. 

Starting with the first boot, the trial period provides 60 days of free operation. All 
features are enabled during this time. 



Defines an name on the appliance for a streaming URL. When a client requests the 
alias content on the appliance, the appliance uses the URL specified in the unicast- 
alias command to request the content from the origin streaming server. 

An SG appliance must know the current UTC time. By default, the appliance 
attempts to connect to a Network Time Protocol (NTP) server to acquire the UTC 
time. If the SG appliance cannot access any NTP servers, you must manually set the 
UTC time. 

See content filtering. 

Rewrite the URLs of client requests to acquire the streaming content using the new 
URL. For example, when a client tries to access content on www.mycompany.com, 
the appliance is actually receiving the content from the server on 10.253.123.123. The 
client is unaware that mycompany.com is not serving the content; however, the 
appliance access logs indicate the actual server that provides the content. 



Web Cache Communication Protocol. Allows you to establish redirection of the 
traffic that flows through routers. 
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Web FTP 



Websense log type 
X 

XML responder 
XML requestor 



Web FTP is used when a client connects in explicit mode using HTTP and accesses an 
ftp:/ / URL. The SG appliance translates the HTTP request into an FTP request for 
the OCS (if the content is not already cached), and then translates the FTP response 
with the file contents into an HTTP response for the client. 

A Blue Coat proprietary log type that is compatible with the Websense reporter tool. 



HTTP XML service that runs on an external server. 
XML realm. 
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